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Description 

[0001] The present invention relates to securely de- 
livery encrypted digital data. 

[0002] Extraordinary headway in digital technology 
today has made it possible to deliver all kinds of digital 
data over networks or by mean of storage media. Such 
data include character data (e.g., text, symbols and fig- 
ures), audio data (voices and pieces of music), video 
data (still and moving pictures), audio-video composite 
data (movies and broadcast programs), program data, 
database data and others, typically referred to as con- 
tent data, or simply content. 

[0003] Some digital data delivered may consist of a 
single data file; others may be composed of a plurality 
of data files. Some of such data files may have informa- 
tion composed of a single content; others may include 
information constituted by multiple contents. Each of 
these contents may be divided into a plurality of digital 
data. 

[0004] It is not difficult to make perfect copies of digital 
data. Once unauthorised copies are made (e.g., through 
unauthorised decoding and reproduction, unlawful du- 
plication, or illicit diversion of products to the black mar- 
ket), copyright holders and others involved in the legiti- 
mate creation, display or delivery of content may suffer 
significant economic injury or other damage. Concern 
over such unauthorised practices has accelerated the 
recent move to establish a framework for protection of 
content providers (such as content producers, distribu- 
tors and deiivers). In particular, the possibility of devis- 
ing measures to deter unauthorised copies is being ex- 
plored to protect valuable contents that take enormous 
cost and labour to produce (such as movies). 
[0005] WO 00/591 54 (Philips) discloses a method of 
delivering encrypted content material to a plurality of 
destinations where the material is decrypted. Each des- 
tination has a unique private key of a public-private key 
pair. 

[0006] Destinations D1 to D4 generate respective 
public keys Y1 to Y4 (Yp) and respective private keys 
y1 to y4 (yp) where 

Yp = g yp mod n 

where n is a large prime number and g is a primitive 
mod n. 

[0007] The public keys Yp are sent to a source which 
generates a "session key" 

K = (Y1 x Y2 x Y3 x Y4) x mod n 

[0008] Where x is the private key of the source. 
[0009] The source generates a public group key 



X = g* mod n 

and partial keys 

5 

X1.X2, X3, X4 (Xp) 

where 

10 

X1 = (Y2 x Y3 x Y4)* mod n 
i 5 X2 = (Y1 x Y3 x Y4) x mod n 

X3 = (Y1 x Y2 x Y4) x mod n 

20 

X4 = (Y1 x Y2 x Y3) x mod n 

[0010] A destination Dp receives encrypted material 
encrypted using the session key K, the public group key 
25 X of the source and the partial key Xp unique to that 
destination. The session key K is recovered at the des- 
tination p as 

30 Kp = XpxX yp = K 

as explained in WO 00/59154. 

[0011] The destination decrypts the encrypted mate- 
rial using K. 

35 [0012] EP 0800293 and Schneier B "Applied Cryptog- 
raphy" John Wiley & Sons, US 1 996, pages 1 76 and 1 77 
disclose encryption systems in which partial keys or in- 
formation for generating partial keys are delivered over 
different routes or channels. 

40 [0013] The present invention is intended to make 
more difficult unauthorised copying, reproduction, diver- 
sion, etc. of content; and provides a technique for deliv- 
ering digital data in a secure manner that makes illicit 
copying difficult. 

45 [001 4] According to one aspect of the present inven- 
tion, there is provided a digital data delivery method for 
use in delivering digital data from an upstream system 
to a downstream system, said upstream system provid- 
ing multipoint delivery of encrypted digital data to spe- 

so cific destinations, and said downstream system decrypt- 
ing the delivered digital data, said method comprising 
the steps of: encrypting digital data by said upstream 
using an encryption key; generating on the basis of said 
encryption key, a set of passkeys specific to each of said 

55 specific destinations; generating a plurality of partial 
keys based on a portion of the passkeys in said set or 
a portion of passkey information from which said pass- 
keys may be reproduced; delivering either said plurality 
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of partial keys or partial key information, from which said 
partial keys may be reproduced, and delivering the re- 
maining passkeys not used to generate said partial keys 
or the remaining passkey information, to each of said 
specific destinations over a plurality of delivery routes 5 
which differ from routes for delivering said digital data 
and which are further different from each other; deliver- 
ing the encrypted digital data; restoring said encryption 
key by using said downstream system using either said 
plurality of partial keys or said partial key information 
and using either said remaining passkeys or said re- 
maining passkey information delivered over said plural- 
ity of delivery routes; and using the restored encryption 
key to decrypt the encrypted digital data. 
[0015] In the present description, keys that are ob- 
tained directly from an encryption key by dividing the lat- 
ter are referred to as passkeys, and keys generated by 
further dividing a passkey are called partial keys. Both 
passkeys and partial keys are the same in nature in that 
they are part of the initial encryption key. In the descrip- 
tion that follows, keys used to encrypt the encryption key 
are called multiple keys. The process used to encrypt 
an encryption key may be performed once or a number 
of times before the encrypted encryption key is delivered 
to a destination. 

[0016] In a preferred method a said set of passkeys 
specific to a destination is generated by dividing the said 
encryption key by a division pattern unique to the des- 
tination of the set. 

[001 7] I n a preferred method of said of set partial keys 
are generated by dividing a portion of a said set of pass- 
keys specific to a destination by a predetermined divi- 
sion pattern specific to the destination of the set. 
[0018] This and other aspects of the present invention 
are specified in the claims to which attentions is invited. 
[0019] Embodiments of the invention will now be de- 
scribed, by way of example only, with reference to the 
accompanying drawings in which: 

Fig. I is a schematic diagram representing the typ- 
ical structure of a data delivery system; 
Fig. 2 depicts the data structure of digital data de- 
livered by the delivery system; 
Fig. 3 is a schematic diagram indicating how an ex- 
ample embodiment of the present invention is 
adapted for use as a movie content delivery system; 
Fig. 4 is a block diagram of a data delivery system; 
Fig. 5 is a block diagram of an embodiment of a data 
delivery system embodying the invention; 
Fig. 6 is a block diagram of a further embodiment so 
of a data delivery system embodying the invention; 
Fig. 7 is a block diagram of a data delivery system; 
Fig. 8 is a block diagram of yet another data delivery 
system; 

Fig. 9 is a block diagram of another data delivery 55 
system embodying the invention; 
Fig. 10 is a block diagram of yet a further embodi- 
ment of a data delivery system embodying the in- 
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vention; 

Fig. 11 is a block diagram of still an additional data 
delivery system 

Fig. 12 is a block diagram of another data delivery 
systems ; 

Fig. 13 is a block diagram of a further data delivery 
system ; 

Fig. 14 is a block diagram of an additional data de- 
livery system ; 

Fig. 15 is a block diagram of another data delivery 
system; 

Fig. 16 is a block diagram of still another data de- 
livery system; 

Fig. 17 is a block diagram of yet an additional data 
delivery system; and 

Fig. 18 is a summary table of the characteristics of 
arrangements, known as operation platforms, used 
with the data delivery systems in accordance with 
some example embodiments of the present inven- 
tion. 

[0020] Fig. 1 schematically represents a system in 
which a delivery agent delivers digital data to multiple 
destinations. In the depicted arrangement, the delivery 
agent includes a distribution rights holder 1 possessing 
the right to distribute content (i.e. digital data) and a de- 
livery business operator 2 who delivers, or transmits, 
content. The distribution rights holder and the delivery 
agent may be the same entity or they may be different 
entities; and a plurality of parties may constitute the de- 
livery agent. 

[0021] The distribution rights holder 1 may be a party 
who has obtained from content producers the right to 
distribute content (i.e., digital data). For example, a con- 
tent producer may be the distribution rights holder; or 
the distribution rights holder may be a joint venture in- 
volving content producers. The destinations include in- 
dividuals and businesses (such as theater operators). 
[0022] In the arrangement described below, an up- 
stream system includes the operating system of the dis- 
tribution rights holder system and the delivery system of 
the delivery agent; and a downstream system is consti- 
tuted by a system of destinations. The digital data to be 
delivered includes character data (such as text, symbols 
and figures), audio data (such as voices and pieces of 
music), video data (such as still and moving pictures), 
audio-video composite data (such as movies and broad- 
cast programs), program data, database data, and other 
digital data. Also included is attached information such 
as IDs known as meta-data (ID information on media), 
information relating to the date on which the data was 
generated (e.g. the date of shooting the picture), loca- 
tions, people, and various conditions. 
[0023] In Fig. 1 , the digital data is delivered over a 
high-speed multipoint delivery network 3 suitable for de- 
livering large quantities of data at high speed in a broad- 
band environment. A content producer 1 sends digital 
data content to an electronic delivery operator 2 from 
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which the content is delivered to specific destinations A, 
B, etc., over the high-speed multipoint delivery network 
3. It is also contemplated to deliver the content on 
CD-ROMs, DVDs or other suitable storage media. The 
high-speed multipoint delivery network 3 is a broadband 
network which may include a broadcasting satellite, op- 
tic fibers and/or other resources. Such a network is ca- 
pable of transmitting large quantities of data at least in 
the downward direction. Alternatively, the network may 
have bidirectional capabilities permitting mass data 
transmission in both the upward and the downward di- 
rections. 

[0024] The high-speed delivery network 3 carries data 
8 whose structure typically is of the type shown in Fig. 
2. Fig. 2 illustrates the use of a key 8A to indicate that 
a network provider (not necessarily the delivery agent) 
reinforces the secrecy of the communication service it 
provides by use of its own encryption key to encrypt, or 
lock, the data it delivers. This encryption key may or may 
not be used depending on various circumstances, such 
as the overall security of the data or of the delivery sys- 
tem, cost, affect on reception, etc. Nevertheless, it is ex- 
pected that most network providers will encrypt data 
over the networks they operate, especially since this 
portrays the business operator to be more secure than 
any other candidates. Although not shown in Fig. 2, in 
practice a header is provided with the data 8. 
[0025] The portion enclosed by broken lines in Fig. 2 
corresponds to the data delivered by the delivery agent 
(also referred to as the delivery business operator) 2. In 
the illustrated example, the data contains a file alloca- 
tion table (FAT) 8B indicating data or file storage infor- 
mation, operation data 8C including digital data usage 
conditions (destinations, duration of reproduction al- 
lowed at each destination, number of reproduction cy- 
cles permitted, and the like), video data 8D, and audio 
data 8E. 

[0026] The illustration of locks associated with re- 
spective data items shows that the different data items 
are each protected by encryption processes performed 
by the distribution rights holder or the delivery business 
operator (singly or both of them working in cooperation). 
The encryption key used here is generally common to 
all data items. Alternatively, different encryption keys 
may be adopted for different data types (e.g., for differ- 
ent sets of video data). As another alternative, a different 
encryption key may be used to encrypt each of the re- 
spective data items regardless of the data type. 
[0027] As depicted in Fig. 2, a given content is deliv- 
ered in multiple formats. That is, a single content (such 
as a movie or a video program) is delivered by using a 
plurality of types of coding and decoding video and au- 
dio data (i.e. different codec methods), in the example 
of Fig. 2, video content is delivered in three video data 
types using three different codec methods. Typical co- 
dec methods include MPEG (Moving Picture Experts 
Group) standards, wavelet transformation and others. 
[0028] Using different coding methods for delivering 
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a video content confers higher degrees of freedom on 
the system configuration at destinations receiving the 
delivered content. This means the user at each destina- 
tion may continue to use his existing system without 

5 having to adopt an unfamiliar codec system dedicated 
to the digital data delivery service in question. Such a 
multiple format delivery scheme benefits the delivery 
agents because they need not limit their customers to 
specific destinations possessing a particular system. 

10 The destinations also benefit from the scheme because 
they can utilize existing equipment thanks to the wide 
selectable range of coding to deliver the digital data. 
[0029] The foregoing applies to the audio data 8E as 
well. The example of Fig. 2 shows two audio data items 

is coded by two different codec methods. Typical codec 
methods that may be used include MPEG standards 
and others. 

[0030] In the system of Fig. 1 , the data that can be 
received by a household, indicated for example as des- 

20 tination A, is made up of a video data item coded by a 
video codec VCD! and an audio data item coded by an 
audio codec ACD-, . At this destination, these data items 
in the delivered data 8 are selectively extracted or re- 
produced on the basis of FAT On the other hand, the 

25 data that can be received by a business operator, indi- 
cated for example as destination B is composed of a 
video data item coded by a video codec VCD 2 and an 
audio data item coded by an audio codec ACD 2 . At this 
destination B, these data items in the delivered data 8 

30 are selectively extracted or reproduced on the basis of 
FAT. However, it is not necessary to deliver all data in 
multiple formats at all times; each destination may alter- 
natively be supplied with data solely in the formats typ- 
ically used by that destination. 

35 [0031] The delivered digital data are decrypted at the 
destination by a decryption server 33, to be described 
later, before being output to an output device 34. The 
processes performed internally by the decryption server 
33 and output device 34 will be described later. The de- 

40 Nvery of encryption keys needed to decrypt the encrypt- 
ed digital data provides conditional access to that data. 
In Fig. 1, there are two encryption key delivery routes: 
one is a wide area network (transmission medium) 4, 
and the other is a storage medium 5. Fig. 1 shows a 

45 typical delivery arrangement where at least two types of 
key information are needed to restore a common en- 
cryption key, with a portion of the key information deliv- 
ered electronically over the wide area network 4 and the 
remaining key information delivered physically on the 

so storage medium 5. 

[0032] The wide area network 4 in the arrangement is 
assumed to be a typical transmission network capable 
of bidirectional communication, such as a public 
switched network (e.g., the Internet, an ATM network, a 

55 packet switched network or the like) or a leased line net- 
work. The storage medium 5 may be a magnetically 
readable medium, an optically readable medium, a sem- 
iconductor memory or the like. The storage medium may 
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be delivered by postal service, by a home delivery serv- 
ice, or by other conventional delivery services. 
[0033] It is assumed, for the purpose of the present 
description, that the encryption key used to encrypt dig- 
ital data is common to all destinations and that a set of 
key information delivered individually to each destina- 
tion is unique to that destination. When each destination 
is supplied with its own key information, the encryption 
key used to encrypt the digital data cannot be restored 
unless and until all of the key information sent to a spe- 
cific destination is acquired. This makes it harder or 
more time-consuming to misappropriate all of the nec- 
essary key information. In addition, each digital data 
item may have its own set of key information. 
[0034] The encryption key used to encrypt the digital 
data preferably should be specific to each content to be 
delivered. With this arrangement, even if all key infor- 
mation is misappropriated, resulting in the unauthorized 
restoring of digital data, the injury is limited only to the 
content encrypted by that specific key. Of course, it is 
not mandatory for the encryption key to be unique to 
each content; a common encryption key maybe utilized 
for a plurality of contents. Nevertheless, the delivery 
system as a whole should have enhanced capabilities 
of security against unauthorized recovery of data; and 
the individual encryption keys should not be restricted 
by any particular rules. The degree of data security may 
vary depending on the content to be delivered as well 
as on the delivery agent's business policy. 
[0035] The present invention envisages having key 
information conveyed by a plurality of different routes, 
such as a network and a storage medium, as shown in 
Fig. 1 . The multiple delivery route approach is adopted 
because of the different characteristics thereof, as out- 
lined below. 

[0036] An advantage of using a network is that it per- 
mits immediate delivery of key information. A disadvan- 
tage of a network is the difficulty in verifying whether the 
key information has been misappropriated. One disad- 
vantage of using storage media is that it takes time for 
each destination to acquire (i.e., receive) the delivered 
key information. An advantage of storage media is the 
relative ease to ascertain whether the key information 
has been misappropriated. 

[0037] The present invention contemplates combina- 
tions of network-based and physical data delivery sys- 
tems involving a storage medium. If there is little or no 
possibility of data being misappropriated on the net- 
work, all key information may be delivered over the net- 
work. If there is sufficient time between the delivery of 
key information and the delivery of content, (e.g., the 
content is delivered days after the key information is dis- 
seminated), all key information may be delivered using 
storage media. 

[0038] The present invention also contemplates vari- 
ous encryption methods presently known as well as 
those techniques that will emerge in the future. 
[0039] In Fig. 1 , the key information delivered over two 



routes (wide area network 4 and storage medium 5) is 
generally constituted by a set of passkeys (partial keys) 
divided from the encryption key using a key division pat- 
tern specific to each destination. The set of passkeys 

5 alternatively may be formed by multiple keys generated 
specifically for each destination, with the encryption key 
being encrypted by the specific multiple keys and sent 
to the corresponding destination. 
[0040] Fig. 3 shows a typical arrangement suited to 

10 deliver movie content electronically. 

[0041] A movie production company la is used as the 
content producer 1 of Fig. 1 , and theaters A and B re- 
ceive digital data as the destinations 6 and 7 of Fig. 1 . 
Fig. 3 includes film-to-video conversion (telecine 

15 processing) 9 that converts film images provided by the 
movie production company la into electronic images. Al- 
though not shown specifically in Fig. 3, theaters A and 
B may be of any scale such as large movie theaters, 
small single screen theaters or so-called cinema com- 

20 plexes. 

[0042] Fig. 4 is an example of a delivery system hav- 
ing an upstream system made up of a content distribu- 
tion rights holder 1 and an electronic delivery business 
operator 2; and a downstream system specific to each 

25 destination to which digital data is delivered. The up- 
stream system generates an encryption key specific to 
each digital data item and encrypts the digital data using 
the corresponding encryption key. A set of passkeys 
unique to a respective specific destination is generated 

30 on the basis of the encryption key and a portion of the 
set of passkeys (or passkey information from which the 
set of passkeys may be produced) is delivered to the 
respective destination over a network. The rest of the 
set of passkeys (or passkey information) is written to a 

35 dedicated storage medium for physical delivery to the 
respective destination. The encrypted digital data is de- 
livered to the destinations according to a delivery sched- 
ule (e.g. network broadcasting, pay-per-view movie, or 
the like). 

40 [0043] The downstream system restores the encryp- 
tion key specific to the corresponding digital data item, 
based both on the portion of the set of passkeys (or the 
passkey information) delivered over the network, and on 
the rest of the set of passkeys (or passkey information) 

45 delivered on the storage medium. The restored encryp- 
tion key is used to decrypt the encrypted digital data. 
[0044] In this example, the encryption key used to en- 
crypt the digital data is divided, or parsed, by a division 
rule specific to each destination (i.e., each downstream 

so system) into a set of passkeys. A portion of the set of 
passkeys thus generated is transmitted to the destina- 
tion over a network, and the rest of the set is delivered 
physically on a storage medium. 
[0045] A decryption server of the downstream system 

55 restores the encryption key specific to a digital data item 
based both on the portion of the set of passkeys (or 
passkey information) delivered over the network, and on 
the rest of the set of passkeys (or passkey information) 
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delivered on the storage medium. The delivered digital 
data is decrypted using the restored encryption key. A 
locally generated scramble key is used to scramble the 
decrypted content; and a descramble key is generated 
if the digital data is properly produced. The decrypted 
data of interest is decoded and scrambled using the lo- 
cally generated scramble key. The scrambled digital da- 
ta from the decryption server is descrambled by using 
the descramble key furnished by the decryption server; 
and the descrambled digital data is output in a prede- 
termined output format. In short, the decrypted digital 
data is scrambled before being output. 
[0046] The scramble and descramble keys generated 
by the decryption server may be the same for an entire 
batch of digital data or may be different for each digital 
data item. The latter arrangement is preferred as a more 
effective countermeasure against possible data misap- 
propriation. 

[0047] The output device to which the scrambled dig- 
ital data is supplied may be a display device (e.g., a 
monitor device, a TV set, a projector unit, a portable 
electronic apparatus), a printer, a speaker, a drive for 
recording data on a storage medium or the like. If the 
digital data is video data, it may be displayed on a dis- 
play screen or projected onto a projection screen. If the 
digital data is audio data, it may be reproduced through 
speakers. If the digital data is audio-video composite da- 
ta, it may be output in the two different formats (i.e., au- 
dio and video formats) simultaneously. 
[0048] In the arrangement of Fig. 4, the upstream sys- 
tem includes a content server 1 1 , a content coding unit 
12, an encryption unit 13, an output server 14, a content 
management server 1 5, a key generation unit 1 6, a des- 
tination management server 17, a passkey generation 
unit 18, and a write unit 19. The downstream system 
includes a reception server 31 , a read unit 32, a decryp- 
tion server 33, and an output device 34 (with a descram- 
ble unit 34A). The decryption server 33 is further made 
up of a decryption section 35 (including a decryption un it 
35 A, a key restoration unit 35 B, a content decoding unit 
35C and a scramble unit 35D), a scramble control unit 
36, and an output log management unit 37. 
[0049] The aforementioned components may be im- 
plemented in the form of dedicated hardware or soft- 
ware. 

[0050] In Fig. 4, thick lines denote transmission chan- 
nels of large capacities, and thin lines represent trans- 
mission channels of relatively smaller capacities. It 
should be noted that this configuration represents the 
current state of the art so that the envisaged transmis- 
sion capacities are relative in magnitude. At present, the 
passkey delivery routes indicated by thin line arrows 
may alternatively be arranged to have large transmis- 
sion capacities. 

[0051] The content server 11 is a device whose main 
function is to store digital data that has been delivered 
over transmission channels or conveyed on a storage 
medium (e.g., magnetic tape in Fig. 4). The storage 
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function is implemented by use of a mass storage device 
incorporated in the content server 11. Preferably, this 
server has a computer-based structure. 
[0052] This content server is comprised of a process- 
5 ing unit for executing control and arithmetic functions, a 
storage device for storing data necessary for signal 
processing, an input device through which data, pro- 
grams and commands are input from the outside, and 
an output device for outputting the results of such inter- 
to nal processing. 

[0053] The content coding unit 12 subjects digital data 
to compression coding and other coding processes 
such as MPEG conversion, wavelet transformation and 
the like. Content coding unit 12 executes a plurality of 
15 coding processes that are typically used. Each digital 
data item is therefore coded by multiple codes. Water- 
mark information preferably is embedded in the video 
and audio data transmitted from the content server 11 
to the content coding unit 12. The content coding unit 
20 may be implemented by dedicated hardware or by com- 
puter software. 

[0054] The encryption unit 13 receives, from the key 
generation unit 16, an encryption key specific to a con- 
tent item, and encrypts that content item using the en- 

25 cryption key. The cryptosystem used here may be any 
of those known to those of ordinary skill in the art. 
[0055] Illustratively, DES (Data Encryption Standard), 
FEAL (Fast Data Enciphemnent Algorithm) and other 
encryption processes are used. The encryption proc- 

30 esses are effected individually on operation data and on 
content data. It may be noted that the encryption proc- 
ess of content data is carried out illustratively with regard 
to each data item coded by the content coding unit 12. 
The encryption unit may be implemented either by ded- 

35 icated hardware or by software. 

[0056] The output server 1 4 performs two major func- 
tions: to store in a storage device the digital data that is 
encrypted so that only those recipients at specific des- 
tinations may view or record the content upon eventual 

40 decryption, and to output the encrypted digital data over 
the high-speed delivery network 3 according to a deliv- 
ery schedule. The output function is implemented by a 
transmission device exhibiting a broadband transmis- 
sion facility and rate control. 

45 [0057] At present, overnight storage data delivery is 
envisaged for delivery of data over the high-speed de- 
livery network 3. In the future when highertransmission 
rates are expected to be prevalent, streaming delivery 
or the like may also be provided. 

so [0058] Where encrypted digital data is delivered on a 
storage medium, the output function is implemented by 
a drive that stores digital data on a suitable storage me- 
dium. 

[0059] In communicating with the content server 11 , 
55 the content management server 15 registers newly ac- 
cepted content, searches for and retrieves desired con- 
tent, divides files, and performs other processes. The 
content management server preferably is computer- 
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based, and manages the encryption keys that are gen- 
erated for each content item. 

[0060] The key generation unit 16 generates an en- 
cryption key unique to each item of digital data to be 
delivered. The cryptosystem used to generate the en- 5 
cryption keys may be any of those known to those of 
ordinary skill in the art. That is, state-of-the-art encryp- 
tion techniques are adopted to make unauthorized de- 
cryption of data difficult to accomplish. 
[0061] Using a database, the destination manage- 10 
ment server 17 manages destinations, delivery condi- 
tions and other operational data for each digital data 
item, as well as the encryption key information, gener- 
ated for each destination. The delivery conditions in- 
clude usable time periods, allowed output count (e.g., 15 
the number of times a content item may be recorded or 
reproduced) and the like. The destination management 
server preferably has a computer-based structure. 
[0062] The destination management server 17 may 
be installed in one of three locations: in the system op- 20 
erated by the content distribution rights holder alone, in 
the system of the electronic delivery business operator 
alone, or in both systems. The option that is adopted 
depends on which party delivers key information to each 
destination. Of course, if a small number of business op- 25 
erators have knowledge of the key information, data se- 
curity for the entire system improved. 
[0063] The destination management server 17 is 
adapted to receive downstream system output log data 
over an up link (usually the Internet, a telephone line or 30 
like communication tine). Using the output log, the des- 
tination management server manages output histories 
(dates and times of output, output counts, output peri- 
ods, and such related information such as the presence 
of trouble, the number of content-wise viewers and tar- 35 
get age groups, and the like) of the destinations (recip- 
ients). Accordingly, the destination management server 
17 has a database and an output history management 
unit, neither shown. 

[0064] The database and output history management 40 
unit may alternatively be furnished apart from the des- 
tination management server. Output log data may be to- 
taled (or otherwise statistically processed) and analyzed 
either by the upstream system (which receives the out- 
put log reports) or by the downstream system (before 45 
the downstream system transmits the results of its 
processing to the upstream system). 
[0065] When the output log of the downstream system 
is managed by the upstream system, the status of con- 
tent distribution may be readily monitored. This arrange- so 
ment also permits the acquisition of market develop- 
ments such as box-office results, current fads and 
trends. Alternatively, log management may be assumed 
by a content output research firm or by an operator other 
than the digital data distribution rights holder orthe elec- 55 
tronic delivery business operator. 
[0066] Output log data may be supplied to and utilized 
by a suitable electronic device in place of the distribution 
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management server 1 7. The output log need not include 
all of the information mentioned above (dates and times 
of output, etc.). One or a desired combination of output 
log items may be reported instead. Also, output log data 
is optional and, if preferred, need not be used. 
[0067] The passkey generation unit 1 8 divides an en- 
cryption key A, generated for each content item (e.g. for 
a movie, a video program, audio orthe like) by a division 
pattern unique to each destination, thereby generating 
a set of passkeys A1 and A2. For example, if there are 
1 ,000 recipients at as many destinations, 1 ,000 sets of 
passkeys A1 and A2 are generated. The passkeys thus 
generated are sent to the destination management serv- 
er 1 7 as well as to an appropriate delivery processing 
unit. In this example, the passkey generation unit sup- 
plies a portion of the set of passkeys, namely the pass- 
key A1 , to a communication unit, not shown, for delivery 
over a network, and supplies the remaining passkeys, 
namely the passkey A2, to the write unit 1 9 for delivery 
on a storage medium. 

[0068] The write unit writes the reported passkey A2 
to a predetermined storage medium which may be a 
magnetically readable medium, an optically readable 
medium, a semiconductor memory or the like. Address 
information for delivery of the storage medium to the ap- 
propriate destination is supplied by the destination man- 
agement server 17. Similarly, network addresses are 
supplied for delivery of the passkey A1 to the proper 
destination. 

[0069] At the downstream system, the reception serv- 
er 31 implements the functions of receiving the encrypt- 
ed digital data which permits recipients only at specific 
destinations to view or record the content upon eventual 
decryption (i.e., encryption provides conditional access 
to the content); storing the delivered digital data in a 
storage device; and outputting the digital data to the de- 
cryption server 33 according to a predetermined repro- 
duction schedule. In addition, error correction of the re- 
ceived data also is performed. 

[0070] Where the digital data is delivered on a storage 
medium, the reception server includes a read unit for 
reading the delivered digital data from the storage me- 
dium. 

[0071] Read unit 32 in the downstream system func- 
tions to read the passkey A2 from the storage medium 
on which it is conveyed. Although not shown in Fig. 4, 
a communication unit is provided to receive the passkey 
A1 delivered over the wide area network. 
[0072] The decryption server 33 decrypts the encrypt- 
ed digital data, and decodes the decrypted but still cod- 
ed digital data. The decryption server also locally scram- 
bles the decoded data to prevent the restored original 
data from being output in an unprotected form. The de- 
cryption server may be implemented either by dedicated 
hardware or by software. To protect the digital data from 
misappropriation, the decryption server 33 is provided 
in a secure physical housing that may be opened, or un- 
locked, only if authorized procedures are followed. 
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[0073] The decryption section 35, which includes de- 
cryption unit 35A, key restoration unit 35B, content de- 
coding unit 35C and scramble unit 35D, is provided with 
effective countermeasures against misappropriation of 
data. This is because important information, namely, the 
encryption key information and the original digital data 
flows between the function blocks comprising the sec- 
tion. For that reason, functional blocks of the decryption 
section are formed as semiconductor integrated circuits 
or are structured to have their functions disabled if the 
housing of section 35 is forcibly opened. 
[0074] The decryption unit 35A uses the encryption 
key furnished by the key restoration unit 35B to decrypt 
the digital data supplied from the reception server 31 , 
thereby providing conditional access to the digital data. 
The decryption unit may be implemented either by ded- 
icated hardware or by software. 
[0075] The key restoration unit 35B uses both the 
passkey A1 delivered over the network and the passkey 
A2 delivered on a storage medium to restore the encryp- 
tion key for decrypting the encrypted digital data. The 
restored encryption key is retained for a predetermined 
period of time as by being stored on a suitable storage 
medium such as a nonvolatile memory or hard disk. 
[0076] Before decrypting the digital data supplied 
from the reception server 31 , the key restoration unit 
35 B reads operation data 8C attached to the digital data 
(see Fig. 2) to determine if the reproduction conditions 
(usage conditions) set by the operation data are satis- 
fied at that time. If the reproduction conditions are sat- 
isfied, the key restoration unit sends a decryption enable 
signal to the decryption unit 35A and a scramble key 
generation signal or a scramble key output enable signal 
to the scramble control unit 36. If the reproduction con- 
ditions are not satisfied, the key restoration unit 35B 
feeds inhibit signals to the decryption unit and to the 
scramble control unit. 

[0077] The content decoding unit 35C is compatible 
with the codec processing used by the recipient at the 
particular destination. The content decoding unit may be 
implemented either by dedicated hardware or by soft- 
ware and is adapted to restore the original unencrypted 
digital data. 

[0078] The scramble unit 35 D functions to scramble 
the decrypted, decoded digital data to impart fu rther pro- 
tection to the original data that will be output. The scram- 
ble unit may be implemented either by dedicated hard- 
ware or by software. 

[0079] In the example illustrated in Fig. 4, the scram- 
ble control unit 36 is shown outside the decryption sec- 
tion 35, but it will be recognized that, if desired the 
scramble control unit may be incorporated in the decryp- 
tion section. 

[0080] When the scramble control unit 36 is enabled 
by the key restoration unit, it generates a scramble key 
and a descramble key paired therewith. The scramble 
key and paired descramble key may always be the same 
set of keys regardless of the delivered content (i.e., a 



fixed pair of scramble and descramble keys may be out- 
put from storage). Alternatively, a different set of scram- 
ble/descramble keys may be generated for each content 
(i.e., a different pair of scramble and descramble keys 

5 may be generated every time a new content item is out- 
put, the set of scramble/descramble keys being retained 
while predetermined reproduction conditions are satis- 
fied). As a further alternative, a different set of scramble/ 
descramble keys may be generated upon each repro- 

10 duction output (i.e., a different pair of scramble and de- 
scramble keys are generated every time a coded con- 
tent is decoded). 

[0081] If the scramble key information is arranged to 
be changed periodically or irregularly while a single con- 
's tent is being output, the scramble control unit 36 gener- 
ates scramble and descramble keys at suitable intervals 
while the digital data is supplied to the output device 34. 
[0082] If desired, scramble key generation status from 
the scramble control unit 36 may be reported to the out- 
20 put log management unit 37 to permit monitoring of 
whether the scramble keys are generated (i.e. misap- 
propriated) without proper authorization. 
[0083] The output log management unit 37 manages 
the output log of the output device 34 in order to deter- 
25 mine if there is any unauthorized output from that de- 
vice. The output log management unit may be imple- 
mented either by dedicated hardware or by software. 
Log data from the output log management unit is sup- 
plied over communication lines to the destination man- 
so agement server 1 7 of the upstream system. This allows 
the upstream system separately to monitor the repro- 
duction output status of the recipient at any particular 
location, and to check for any unauthorized handling of 
data. 

35 [0084] The output log data may be original or raw da- 
ta, or data that has been totaled (or otherwise statisti- 
cally processed) and analyzed by the output log man- 
agement unit or by other units. The output log data may 
contain demographic information such as the number of 

40 content-wise viewers, target age groups, and the like. 
[0085] The output device 34 is compatible with the re- 
covered digital data. For example, if the digital data is 
video data, the output device 34 may be a display unit 
or a projection unit. If the digital data is audio data, the 

45 output device may be a speaker. In any case, the output 
device includes a descramble unit 34A and a signal 
processing unit 34B that implements the basic function 
of the device. 

[0086] The descramble unit 34A descrambles the 
50 scrambled digital data supplied by the decryption server 
33. The descramble unit may be implemented either by 
dedicated hardware or by software. In practice, the de- 
scramble unit may be constituted by a semiconductor 
integrated circuit or a circuit board module. 
55 [0087] The signal processing unit 34B outputs de- 
scrambled digital data in a suitable output format. If the 
output device 34 is a display unit or a printer, then im- 
ages may be output in a frame or field format. If the out- 
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put device is a speaker, the output from the descramble 
unit may be a real time-based acoustic reproduction. 
[0088] Since the signals output by the descramble 
unit 34 A are protected by static features such as elec- 
tronic watermarking, it is preferable to house the output 
device 34 in a housing that can be opened only if au- 
thorized procedures are followed, and that disables the 
device if the housing is opened by force. 
[0089] When new digital data are supplied to the con- 
tent server 11 , the content in question is uncoded with 
a unique encryption key under the control of content 
management server 1 5. The encryption key is supplied 
to passkey generation unit 1 8 which divides (or parses) 
the encryption key by a division pattern unique to the 
destination in question. The division pattern may be the 
same regardless of the varying contents delivered, or 
may be different for each content. In the example shown 
in Fig. 4, the set of passkeys formed by passkey infor- 
mation A1 and A2 is generated in a manner unique to 
each content for each destination. 
[0090] The generated passkeys A1 and A2 are deliv- 
ered to the desired destination prior to the transmission 
of digital data. For the system shown in Fig. 4, the pass- 
key A1 is delivered over the network and the passkey 
A2 is conveyed on the storage medium. Alternatively, 
the passkeys may be delivered after the delivery of dig- 
ital data. 

[0091 ] The downstream system reads the digital data 
(i.e., the content) according to a predetermined sched- 
ule and decrypts the encrypted digital data using the re- 
stored encryption key. It is appreciated that the decrypt- 
ed digital data compatible with the codec used at the 
destination in question thus is selectively decoded. The 
decoded data is scrambled by the decryption server 33. 
[0092] The decryption server feeds the scrambled 
digital data to the output device 34 which descrambles 
the received data using the descramble key supplied by 
the scramble control unit 36. The descrambled content 
is output in a desired format. The status of the content 
output is reported as output log data from the output log 
management unit 37 to the upstream system. The out- 
put log data may be reported when each content is out- 
put (i.e. , one log data report may be sent when a content 
item is output), or may be reported following a number 
of content outputs (e.g., an output status list may be out- 
put at the end of the day). 

[0093] As described, there are a plurality of passkey 
delivery routes in the system of Fig. 4. In this arrange- 
ment, if the passkey (for example, passkey A1) deliv- 
ered over one of the routes is misappropriated, the en- 
cryption key nevertheless is protected unless and until 
the remaining passkey (passkey A2) is misappropriated 
as well. Where passkey information is conveyed over a 
route different from the digital data delivery route (this 
includes the use of the same transmission medium but 
for the delivery of content at a different time from the 
delivery of the passkeys), then even if a potion of the 
passkey information and the encrypted digital data are 



misappropriated, the original digital data will not be re- 
covered because the key information necessary for re- 
storing the encryption key is delivered separately from 
the digital data. 

s [0094] Since the decrypted digital data is scrambled 
before being sent to the output device, the output device 
may be separate and apart from the server that performs 
the decryption function while maintaining sufficient pro- 
tection against misappropriation of data. 

10 [0095] If a more secure cryptosystem subsequently 
becomes available, or if it is preferred to adopt a different 
codec technique, this can be attained simply by replac- 
ing the decryption server 33. Regardless of the codec 
used at any destination, all data sent from the decryption 

15 server to the output device 34 are scrambled, so that 
the output device may be used by different types of co- 
decs. 

[0096] These features are conducive to reducing the 
costs in developing and manufacturing the output de- 

20 vice 34. Hence, the existing output device may be easily 
replaced by another output device of higher perform- 
ance, e.g., one with higher playback resolution; which 
may become available after system implementation. 
[0097] Fig. 5 illustrates an example of a delivery sys- 

25 tern in accordance with the present invention wherein 
the same reference numerals are used to identify the 
same components shown in Fig. 4. The downstream 
system shown in Fig. 5 is identical to that shown in Fig. 4. 
[0098] The delivery system shown in Fig. 5 differs 

30 from that in Fig. 4 in that a partial key generation unit 20 
is provided for further dividing the passkey A1 generated 
by the passkey generation unit 18 into partial keys A1 
and A 12. In addition, a write unit 21 is used for writing 
partial keys A12 to a storage medium and a read unit 

35 38 reads the partial keys from the storage medium. The 
routing of key information delivery is partially modified 
to allow for the three sets of key information A11 , A12 
and A2 to be conveyed. 

[0099] Partial key generation unit 20 generates the 

40 set of partial keys A11 and A12 by dividing a portion of 
the passkeys (i.e. passkey A1) generated by the pass- 
key generation unit 18 by a predetermined division pat- 
tern specific to each destination. Alternatively, the partial 
keys A11 and A 12 may be generated from passkey in- 

45 formation, which is information from which the passkeys 
may be reconstructed, or reproduced. Illustratively, if 
there are 1 ,000 recipients at, for example, 1 ,000 desti- 
nations, 1 ,000 sets of partial keys A1 1 and A1 2 are gen- 
erated. The division pattern need not be unique to each 

so destination; rather, it may be common to all destinations 
or it may vary depending on the geographical area or 
the group of destinations being handled by the system. 
[0100] The partial keys thus generated are sent from 
the partial key generation unit 20 to the destination man- 

55 agement server 1 7 as well as to an appropriate delivery 
processing unit. In the illustrated example, the partial 
key generation unit supplies the partial key A11 to a 
communication unit, not shown, for delivery over a net- 
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work, and supplies the remaining partial key A12 to the 
write unit 21 for delivery on a storage medium. Write unit 
21 may be similar to aforedescribed write unit 1 9 of Fig. 
4. Alternatively, in place of partial key A11, and/or in 
place of partial key A12, partial key information may be 5 
delivered, from which the partial key A1 1 or A1 2 may be 
reconstructed, or reproduced. 

[0101] In the delivery system shown in Fig. 4, the 
passkey A2 is conveyed to the downstream system by 
means of the storage medium . By contrast, the delivery 1 o 
system shown in Fig. 5 delivers the passkey A2 over the 
network. Operations other than the delivery of key infor- 
mation are carried out by the delivery system of Fig. 5 
in the same manner as the delivery system of Fig. 4 In 
Fig. 5, key information is delivered over two transmis- *s 
sion networks (either over two different networks or over 
the same network but at different times) and by means 
of a storage medium. Since there are more key informa- 
tion delivery routes, it is more difficult to misappropriate 
data over the delivery routes. 20 
[0102] Fig. 6 illustrates another example of a delivery 
system in accordance with the present invention where- 
in the same reference numerals are used to identify the 
same components shown in Figs. 4 and 5. 
[0103] The delivery system shown in Fig. 6 differs 25 
from that shown in Fig. 5 in that the passkey A2 is de- 
livered not over a network but by means of a storage 
medium as in Fig. 4. Nevertheless, partial keys A11 and 
A12 are delivered over different routes shown, for ex- 
ample, as the network and a storage medium. Opera- 30 
tions other than the delivery of key information are car- 
ried out by the delivery system of Fig. 6 in the same man- 
ner as the delivery system shown in Figs. 4 and 5. In 
Fig. 6, key information is delivered over one transmis- 
sion network and by means of two different storage me- 35 
dia. Since more storage media are used for key infor- 
mation delivery, it is easier to detect misappropriation 
over the deliver routes, thus offering higher degrees of 
data security. 

[0104] Referring to Fig. 7, there is shown another ex- 40 
ample of a delivery system wherein the same reference 
numerals are used to identify the same components 
shown in Fig. 4. 

[0105] The delivery system shown in Fig. 7 differs 
from the aforedescribed examples in that the passkeys 45 
A1 and A2, or passkey information from which the pass- 
keys A1 and A2 may be reconstructed, or reproduced, 
are both delivered over the networks. Operations other 
than the delivery of key information are carried out by 
the delivery system of Fig. 7 in the same manner as the so 
delivery system shown in, for example, Fig. 4. Since key 
information is delivered over two transmission networks 
in Fig. 7, the time interval between the delivery of key 
information and the start of digital data delivery may be 
significantly reduced, compared with those arrange- ss 
ments where key information is conveyed by means of 
storage media. 

[01 06] Another example of a delivery system is shown 



in Fig. 8, wherein the same reference numerals are used 
to identify the same components shown in Fig. 4. 
[0107] The delivery system shown in Fig. 8 differs 
from that shown in Fig. 4 in that the passkeys A1 and 
A2 are both delivered by means of storage media. Al- 
ternatively, passkey information from which the passkey 
A1 and/or the passkey A2 may be reconstructed or re- 
produced, may be delivered by the storage media. Ac- 
cordingly, write unit 22 and read unit 39 are provided for 
writing and reading the passkey A1 to a storage media. 
Operations otherthan the delivery of key information are 
carried out by the delivery system shown in Fig. 8 in the 
same manner as by the delivery system shown, for ex- 
ample, in Fig. 4. 

[01 08] Because all of the key information is conveyed 
on storage media, misappropriation thereof can be 
readily detected. Hence, this arrangement offers high 
degrees of data security compared with cases in which 
key information is delivered over a network. 
[0109] A further example of a delivery system in ac- 
cordance with the present invention is shown in Fig. 9, 
wherein the same reference numerals are used to iden- 
tify the same components shown in Fig. 5. 
[0110] The delivery system shown in Fig. 9 differs 
from that shown in Fig. 5 in that the partial key A1 2 gen- 
erated by the partial key generation unit 20 is delivered 
not by means of a storage medium (as in Fig. 5) but over 
a transmission network. Operations other than the de- 
livery of key information are carried out by the delivery 
system shown in Fig. 9 in the same manner as by the 
delivery system shown in Fig. 5. 
[0111] Hence, since all of the key information is con- 
veyed over networks having high speed transmission 
capabilities, the time interval between the delivery of key 
information and the start of digital data delivery may be 
substantially reduced as compared with those arrange- 
ments in which key information is conveyed by means 
of storage media. By delivering key information in the 
form of passkey A2 and partial keys A11 and A12, the 
delivery system ensures a higher degree of data secu- 
rity because unauthorized decrypting and recover of 
content requires the misappropriation of ail of the pass- 
key and partial key information. 
[0112] Fig. 10 illustrates another example of a deliv- 
ery system in accordance with the present invention 
wherein like reference numerals identify like compo- 
nents shown in Figs. 6 and 8. 

[0113] The delivery system shown in Fig. 10 differs 
from the deliver system shown in Fig. 6 in that the partial 
keys A11 and A 12 generated by the partial key gener- 
ation unit 20 are both delivered by means of storage me- 
dia. Accordingly, write unit 22 and read unit 39 are pro- 
vided for writing the partial key A11 to and reading the 
partial key from a storage medium. 
[01 1 4] Since all of the key inf ormation is conveyed on 
storage media, misappropriation can be readily detect- 
ed, resulting in a system that offers a high degree of data 
security. 
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[0115] Referring to Fig. 11, there is shown a further 
example of a delivery system in accordance with the 
present invention. As before, the same components 
shown in Fig. 4 are illustrated here with the same refer- 
ence numerals. Here, the encryption key A used to en- 5 
crypt the digital data is not divided into passkeys. Rath- 
er, the encryption key A itself is encrypted using multiple 
keys specific to respective destinations. 
[0116] In the example shown in Fig. 11 , a first encryp- 
tion key A specific to each digital data item is used to 10 
encrypt the digital data. A second encryption key spe- 
cific to respective specific destinations and to each dig- 
ital data item is generated and used to encrypt either the 
first encryption key or key information from which the 
first encryption key may be recovered. The encrypted 15 
first encryption key (or key information) is delivered to 
each destination over a transmission network; while the 
second encryption key (or second key information from 
which the second encryption key may be reproduced) 
is delivered by way of a storage medium. 20 
[01 1 7] At the downstream system, the first encryption 
key specific to the corresponding digital data is restored 
by using either the second encryption key or the second 
encryption key information that has been delivered by 
means of the storage medium to decrypt either the en- 25 
crypted first encryption key or the key information that 
was delivered over the transmission network. The re- 
stored first encryption key is used to decrypt the encrypt- 
ed digital data. 

[0118] The example shown in Fig. 11 differs from 30 
those examples described above in that this example 
has a multiple key generation unit 23 that generates 
multiple keys B specific to respective destinations. For 
instance, key B1 may be specific to a first destination, 
key B2 may be specific to a second destination, and so 35 
on. A key encryption processing unit 24 encrypts the en- 
cryption key A using the multiple keys B; and a write unit 
25 writes the multiple keys B to a storage medium for 
delivery. A read unit 40, compatible with the write unit 
25, reads the multiple keys B from the storage medium. 40 
[01 1 9] The multiple key generation unit 23 generates 
multiple keys B specific to each destination as well as 
to the encryption key A that is generated for each con- 
tent. Illustratively, if there are 1 ,000 recipients at 1 ,000 
destinations, 1 ,000 sets of multiple keys B will be gen- 45 
erated. The multiple keys B may or may not always be 
the same for a given destination. That is, different keys 
B may be generated depending on the content. Different 
keys B also may be generated depending on the geo- 
graphical area or group of destinations being handled so 
by the system. 

[0120] The encryption key A that is encrypted by the 
multiple keys in key encryption processing unit 24 is de- 
livered to the downstream system over the network. 
[0121] In Fig. 4, the encryption key A specific to each 55 
content is divided by passkey generation unit 1 8 to gen- 
erate sets of passkeys. In Fig. 11 , the encryption key A 
is itself encrypted using the multiple keys B generated 



for each destination; and key A thus, encrypted, is de- 
livered to the downstream system over a network. The 
multiple keys B are conveyed on a storage medium to 
the destination. 

[0122] The example of Fig. 11 utilizes two kinds of 
keys: multiple keys B, and an encryption key A which is 
encrypted by the multiple keys B, delivered over multiple 
routes to the recipient at each destination. It is appreci- 
ated that even if one set of key information is misappro- 
priated in transit, the encryption key information remains 
protected unless and until the other set of key informa- 
tion is misappropriated as well. 

[0123] If the multiple keys B are found to be misap- 
propriated or diverted in transit, the delivery of the en- 
crypted encryption key A overthe network is halted. Oth- 
er multiple keys B are then issued and conveyed on an- 
other storage medium to the destination. This arrange- 
ment ensures a high degree of security against data 
misappropriation. 

[0124] The example now described in conjunction 
with Fig. 1 2 divides the second encryption key B specific 
to a respective destination to generate a set of passkeys 
each set being specific to a respective destination. A 
portion of the set of passkeys (or passkey information 
from which the set of passkeys may be reproduced) is 
delivered to each destination over a second transmis- 
sion network; while the remaining passkeys (or passkey 
information) are written to a storage medium for delivery. 
[0125] At the downstream system, the second en- 
cryption key is restored by using both the portion of the 
set of passkeys delivered over the second transmission 
network and the remaining passkeys delivered on the 
storage medium. Once restored, the second encryption 
key is used to restore the first encryption key specific to 
the corresponding digital data; whereupon the encrypt- 
ed digital data is decrypted by use of the restored first 
encryption key. 

[0126] The system shown in Fig. 12 differs from that 
of Fig. 1 1 in that a passkey generation unit 26 is provided 
to generate a set of passkeys B1 and B2 by dividing the 
multiple keys B generated by the multiple key genera- 
tion unit 23; and a portion of these passkeys (e.g., pass- 
key B2) are written to a storage medium from which they 
subsequently are read (e.g., by a read unit 41). 
[0127] Multiple keys B are specific to respective des- 
tinations, and a division pattern unique to a particular 
destination is used to generate a set of passkeys. If de- 
sired, the division pattern used by passkey generation 
unit 26 may be common to all destinations or may be 
assigned uniquely to each destination. Additionally, the 
division pattern may vary depending on the content or 
may be changed periodically or irregularly during con- 
tent delivery. The division pattern may also vary depend- 
ing on the geographical area or the group of destinations 
being handled by the system. 

[0128] Because one passkey (e.g., B1) is delivered 
over a network and the other passkey (B2) is delivered 
on a storage medium, and because encryption key A 
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itself is encrypted and delivered over a separate route, 
the system of Fig. 1 2 ensures a higher degree of security 
against misappropriation of content data. 
[0129] A variation of the example described in Fig. 12 
is illustrated in Fig. 1 3, where like components are iden- s 
tified by the same reference numerals. 
[01 30] I n Fig. 1 3, the encrypted encryption key A gen- 
erated by key encryption processing unit 24 is delivered 
not over a network but by means of a storage medium. 
Accordingly, a write unit 28 writes the encrypted encryp- 10 
tion key A onto the storage medium from which it sub- 
sequently is read by read unit 42. 
[0131] Since the encrypted encryption key A is deliv- 
ered on a storage medium, misappropriation of key in- 
formation may be discerned sooner than other arrange- 15 
ments in which the key information is conveyed over a 
network. 

[0132] A modification to the example shown in Fig. 1 1 
is depicted in Fig. 14, where like components are iden- 
tified by the same reference numerals. 20 
[0133] Here, the multiple keys B are delivered not by 
means of a storage medium (as in Fig. 11) but over 
transmission networks. Upon delivery of the multiple 
keys B, however, it is preferred to authenticate each 
destination by digital certification or other known tech- 25 
niques, and to encrypt the digital data by using a public 
key disclosed by the certified destination. 
[0134] By delivering the multiple keys B over the net- 
work, the time period between key delivery and the start 
of digital data delivery is substantially reduced. 30 
[0135] Fig. 15 illustrates another modification to the 
delivery system shown in Fig. 11 . 
[0136] In Fig. 15 the encrypted encryption key A is de- 
livered not over a network (as in Fig. 11) but by means 
of a storage medium. 35 
[0137] Since all key information (i.e., encrypted en- 
cryption key A and multiple keys B; or alternatively, en- 
cryption key information from which the respective keys 
may be reconstructed or reproduced) is conveyed on 
storage media, of which misappropriation can be readily 40 
detected, the data delivery system offers a high degree 
of data security. 

[0138] Turning now to Fig. 16, there is illustrated a 
modification of the example shown in Fig. 12. 
[0139] In Fig. 16, the passkey B2 generated (e.g., di- 45 
vided) from the multiple keys B is delivered not by 
means of a storage medium but over a network. Hence, 
all three sets of key information are delivered over net- 
works. Accordingly, the time period between key deliv- 
ery and the start of digital data delivery is significantly so 
reduced. Nevertheless, because three sets of key infor- 
mation (A, B1 and B2) are delivered, there is a higher 
degree of security against data misappropriation of con- 
tent data than other delivery systems in which two sets 
of key information are delivered over the network. ss 
[0140] Referring to Fig. 1 7, there is illustrated a mod- 
ification to the example shown in Fig. 13. 
[0141] In Fig. 17, the passkey B1 generated from the 



multiple keys B (e.g., by a division pattern) is delivered 
not over a network but by means of a storage medium. 
Hence, in this example, all three sets of key information 
are delivered by storage media. 
[0142] Because all key information is delivered by 
storage media, diversion or misappropriation of the keys 
can be readily detected. Accordingly, the illustrated sys- 
tem offers a high degree of security. 
[01 43] The foregoing description of the various exam- 
ples of the inventive concept has not specified which of 
the illustrated functional units are operated by the dis- 
tribution rights holder and which of these units are op- 
erated by the delivery business operator. Fig. 18 is a 
summary table of the degree of security that is expected 
when different parties carry out the function of content 
coding unit 12, the encryption unit 13 and the key gen- 
eration unit 16 (which includes the passkey generation 
unit, the partial key generation unit and the multiple key 
generation unit). The arrangements contemplated by 
Fig. 1 8 use two sets of key information. If three or more 
sets of key information are used, the indication of "one 
key" in Fig. 1 8 will be understood to mean "at least one 
key." 

[01 44] A first arrangement, referred to as an operation 
platform, contemplates the assumption by the distribu- 
tion rights holder of three roles: generating an encryp- 
tion key A, coding the information content, and encrypt- 
ing the coded content (i.e., content coding unit 12, en- 
cryption unit 13, and key generation unit 16 are all as- 
sumed to be operated by the distribution rights holder). 
It also is assumed that the distribution rights holder de- 
livers the key information (see item 1 in Fig. 18). 
[0145] If the distribution rights holder also operates 
the passkey generation unit 1 8 (including the partial key 
generation unit 20), the multiple key generation unit 23, 
and the key encryption processing unit 24 (including the 
passkey generation unit 26) and if the delivery business 
operator merely delivers encrypted digital data to spe- 
cific destinations, then only the distribution rights holder 
is in a position to know the encryption key (master key) 
used to encrypt digital data. Hence, the distribution 
rights holder need not worry about the possibility that 
the encryption key will be misappropriated by or through 
the electronic delivery business operator. This operation 
platform thus assumes the distribution rights holder that 
the content which he offers is secure. 
[0146] In another similar operation platform, (item 2 
in Fig. 1 8), the key information is delivered by both the 
distribution rights holder and the electronic delivery 
business operator. If the delivery system shown in Fig. 
5 is adopted, the distribution rights holder generates and 
distributes the passkey A2 while the electronic delivery 
business operator generates and delivers the partial 
keys A1 1 and A1 2 divided from the passkey A1 and de- 
livers the partial keys thus generated. Likewise in the 
examples of Figs. 6, 9 and 1 0, the passkey is generated 
and distributed by the distribution rights holder; and the 
partial keys are generated and delivered by the elec- 
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tronic delivery business operator. 
[0147] In another arrangement, the electronic delivery 
business operator may write the generated passkeys or 
partial keys to storage media and deliver the storage 
media to their destinations, as in the examples depicted s 
in Figs. 4-6, 8, 1 0-1 4, 1 5 and 1 7 wherein key information 
is delivered on storage media. With this operation plat- 
form, the content distribution rights holder alone is in a 
position to know the encryption key (master key) used 
to encrypt the digital data. 10 
[0148] As a variation of this operation platform, the 
distribution rights holder encrypts and delivers the en- 
cryption key A while the electronic delivery business op- 
erator generates and delivers the passkeys B1 and B2 
delivered from multiple keys B. This variation, although is 
offering a high degree of security nevertheless is some- 
what lower in confidence. 

[0149] A further similar operation platform, (item 3 in 
Fig. 18) assumes that key information is delivered by 
the electronic delivery business operator. When this op- 20 
eration platform is used in the example of Fig. 4, the 
distribution rights holder generates an encryption key 
while the electronic delivery business operator acquires 
that encryption key and produces the passkeys A1 and 
A2 therefrom. 25 
[0150] In accordance with a different operation plat- 
form (see items 4-6 in Fig. 1 8), it is assumed that the 
electronic delivery business operator is responsible for 
encryption. In that case, the electronic delivery business 
operator acquires the encryption key from the distribu- 30 
tion rights holder and encrypts the content accordingly. 
The coding process is assumed by the distribution rights 
holder. Accordingly, the distribution rights holder (which 
may be the content production firm) and the electronic 
delivery business operator both are in a position to know 35 
the encryption key regardless of whether the distribution 
rights holder alone, or the electronic delivery business 
operator alone, or both, distribute the key information. 
Nevertheless, these operation platforms provide better 
system security than conventional delivery arrange- 40 
ments. 

[0151] Further operation platforms are represented 
as items 7-9 in Fig. 18 in which the coding process is 
assumed by the electronic delivery business operator 
and the distribution rights holder only generates the en- 45 
cryption key. The distribution rights holder and the elec- 
tronic delivery business operator both are in a position 
to know the encryption key regardless of whether the 
distribution rights holder alone, the electronic delivery 
business operator alone, or both, distribute the key in- 50 
formation. Nevertheless, these operation platforms pro- 
vide better system security than conventional delivery 
arrangements. 

[0152] Still further operation platforms are represent- 
ed as items 10-12 in Fig. 18 wherein the electronic de- 55 
livery business operator generates the encryption key 
while the distribution rights holder receives the encryp- 
tion key from the electronic delivery business operator 



to encrypt the digital data. Hence, the distribution rights 
holder and the electronic delivery business operator 
both are in a position to know the encryption key regard- 
less of who delivers the key information. Nevertheless, 
these operation platforms provide better system securi- 
ty than conventional delivery arrangements. 
[0153] Yet other operation platforms are represented 
as items 1 3-1 5 in Fig. 1 8, wherein the electronic delivery 
business operator generates the encryption key and en- 
crypts the content with that key while the distribution 
rights holder 1 carries out coding only. Still further oper- 
ation platforms are represented as items 16-18 in Fig. 
18, wherein the electronic delivery business operator 
generates the encryption key, codes the content and 
then encrypts the coded content. In these cases, the dis- 
tribution rights holder and the electronic delivery busi- 
ness operator both are in a position to know the encryp- 
tion key regardless of who delivers the key information. 
Nevertheless, these operation platforms provide better 
system security than conventional delivery arrange- 
ments. 

Further Discussion 

[0154] In one example of a data delivery system dig- 
ital data, or content, is delivered from an upstream sys- 
tem to a downstream system. The upstream system per- 
forms multipoint delivery of encrypted digital data. En- 
cryption may be specific to each item of the digital data 
to be delivered (i.e., each digital data item may be en- 
crypted by use of a unique encryption key); however, 
this is not intended to limit the present invention solely 
thereto. Of course, if each digital data item to be deliv- 
ered is encrypted uniquely, any economic injury or dam- 
age resulting from unauthorized decryption would be 
minimized because the corresponding data item alone 
is affected. But, if the delivery system is deemed highly 
secure or if a simplified delivery system is desired, a plu- 
rality of digital data items may be encrypted by a com- 
mon encryption process. The particular encryption 
scheme that is adopted depends upon the requirements 
of the business in question (e.g. movies may adopt one 
encryption technique, whereas the delivery of software 
programs may adopt another). Multipoint data delivery 
may be carried out not only via transmission media such 
as broadcasting or communication networks but also 
through physical storage media. 
[01 55] To permit an authorized user to decrypt the de- 
livered digital data, an encryption key used to encrypt 
the digital data also is delivered. The upstream system 
generates a plurality of pieces of key information spe- 
cific to destinations and/or to the digital data to be de- 
livered. These pieces of key information are delivered 
to the corresponding destinations (i.e., to the down- 
stream system) over delivery routes different from those 
that carry the encrypted digital data, or content. All de- 
livery routes are made different or separate from one 
another either physically or temporally, i.e., by stagger- 
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ing the times for delivery. Where the key information is 
delivered in multiple pieces over a plurality of routes, the 
unauthorized appropriation of one piece of key informa- 
tion will not compromise the corresponding content data 
unless and until all other pieces of key information are 5 
also appropriated. The key information to be delivered 
is not-limited to encryption keys alone; it may also be 
information from which such encryption keys may be re- 
constructed or reproduced (e.g., random numbers). The 
key information may be made up of a set of passkeys 10 
or partial keys, i.e., keys furnished by splitting up a 
whole encryption key. The encryption scheme may be 
a common key cryptosystem, a public key cryptosys- 
tem, or a combination of the two systems. 
[0156] Examples of how the keys may be generated 15 
include: 

Example I: dividing the encryption key by a division 
pattern specific to each delivery destination into a 
set of partial keys (at least two keys) for the desti- 20 
nation of interest. 

Example II: generating another encryption key (a 
second encryption key) specific to each different 
destination, and using that other encryption key in 
question (i.e. the second encryption key) to encrypt 25 
the first encryption key that is used to encrypt digital 
data. 

Example III: generating an additional encryption 
key (the second encryption key) specific to each dif- 
ferent digital data item, and using the additional en- 30 
cryption key in question (i.e. the second encryption 
key) to encrypt the first encryption key that is used 
to encrypt the digital data. 

[0157] Not only one but also two or more of these sec- 35 
ond encryption keys may be used in a manner specific 
to each different destination. In that case, the multiple 
second encryption keys may be used to encrypt the first 
encryption key a number of times. In any event, the first 
encryption key is encrypted at least once by the second 40 
encryption key or keys. Other encryption schemes may 
also be envisaged, with the second encryption key com- 
bined with other encryption keys (such as an encryption 
key common to destinations, an encryption key specific 
to each digital data item, an encryption key common to 45 
multiple digital data items, etc.) to implement multiple 
encryption processes. 

[01 58] A key division pattern and/or an encryption key 
specific to each destination may be provided either in a 
generalized manner (i.e., the same encryption key is so 
used for a relatively long period of time, regardless of 
digital data, before it is changed over) or in a manner 
varying with each batch of digital data to be delivered. 
Obviously the latter scheme is preferred for protection 
against unauthorized use or appropriation of encrypted 55 
content. 

[01 59] Multipoint delivery may be implemented either 
electronically over networks, such as the internet or 
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broadcasting or communication channels, or physically 
through the use of storage media. 
[0160] The downstream system restores the original 
encryption key from the plurality of pieces of key infor- 
mation delivered over a plurality of different delivery 
routes, and uses the restored encryption key to decrypt 
the delivered digital data and thereby output the original 
data, or content, in a suitable format. Obviously the 
downstream system also needs to be structured so as 
to ensure protection against unauthorized use or appro- 
priation. Illustratively, described above in connection 
there may be provided a downstream system having a 
decryption server and an output device connected in a 
way to assure the secrecy of communication. The output 
device may incorporate in the same physical housing 
not only a decrypted and a content decoder but also a 
secrecy-assuring output unit such as a descrambler. 
[0161] In order to prevent unauthorized use or misap- 
propriation, the downstream system may be composed 
of housings that can be unsealed (or opened) only by 
following an authorized procedure; the system will be 
disabled if unsealed otherwise. The authorized proce- 
dure to unseal the housing(s) may involve authorized 
personnel using proprietary electronic or physical keys 
to open the housing. An example of unauthorized un- 
sealing of the system is the destruction or forced open- 
ing of the housing. 

[0162] It is expected, but not required, that the up- 
stream and downstream systems will be set up and run 
by different organizations, or companies. It also is con- 
templated that the company running the upstream sys- 
tem may take over various processes ranging from en- 
cryption to decryption of the digital data that is delivered. 
The upstream system may be operated in various ways. 
Illustratively, a single company may operate the system, 
or a plurality of companies may jointly operate the up- 
stream system. Each of the processes carried out in ac- 
cordance with the present invention may be implement- 
ed by a single company or by multiple enterprises. For 
example, a single company may have the right to dis- 
tribute content and may deliver the content as well. The 
single company may be an entity that is recognized as 
a substantially unified whole in corporate terms. In this 
connection, the business of the company may be divid- 
ed into operational units that are implemented by affili- 
ated companies or like entities which may not be legal 
subsidiaries of a single corporation but nevertheless 
may be associated with a single holding company. 
[01 63] If the upstream system is operated by multiple 
companies, the particular processing function that is as- 
signed to an individual company is determined by the 
requirements of the enterprise. It will be appreciated that 
a large number of combinations of particular hardware 
and software components may be employed by the dif- 
ferent companies involved. 

[01 64] As an example, a company having the right to 
distribute content may also encrypt the data and gener- 
ate multiple pieces of key information with regard to 
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each destination, and another company may deliver the 
encrypted data to those destinations, in this example, 
only the company having the distribution rights knows 
the encryption keys (master keys). Consequently, it is 
relatively easy for the distribution rights holder to main- 5 
tain data security. The distribution rights holder may be 
an entrepreneur who has obtained those rights from the 
content producer, (that is, the entrepreneur may or may 
not be the same as the content producer). 
[0165] Although the foregoing description of the io 
present invention does not refer specifically to digital 
watermarking, it is preferred to include such watermark- 
ing before the digital data is encrypted in order to dis- 
courage unauthorized duplication and to identify unlaw- 
fully diverted digital products. 15 
[0166] A data delivery company or a network admin- 
istrator may add encryption processing to those delivery 
channels over which encrypted digital data is delivered. 
In fact, where key information is distributed, it is pre- 
ferred that each destination be authenticated by a digital 20 
certificate (i.e., certified with a digital signature by an au- 
thentication organization) before the key information is 
encrypted by a public key (such as a public key fur- 
nished by each destination). This practice will further en- 
sure data security. 25 
[0167] Where key information is delivered over a net- 
work, that network can be physically the same as that 
for content transmission. In that case, however, content 
and key information are not delivered simultaneously; 
preferably they are transmitted at different times, for ex- 30 
ample, hours or days apart. This is equivalent to deliv- 
ering content and key information over different routes. 
If the content (or digital data) and key information were 
sent over the same delivery route, a single unauthorized 
act of misappropriation could divert part of the digital da- 35 
ta and key information at the same time, thereby in- 
creasing the possibility of fraudulent decryption of the 
encrypted digital data. 

[0168] In the present technique, it is assumed that the 
downstream system either has advance knowledge of 40 
the information needed to restore the initial encryption 
key from the delivered key information, or is provided 
with this information from the upstream system. The in- 
formation may be sent from the upstream system to the 
downstream system either simultaneously during key 45 
information delivery or at a different time. 
[0169] One example of a data delivery system com- 
prises an upstream system and a downstream system, 
with the upstream system being operated by a company 
having the distribution rights to the digital data, or being so 
operated jointly by the distribution rights company and 
a company that delivers the digital data. The digital data 
is encrypted by the upstream system using an encryp- 
tion key. A set of passkeys (two or more keys making 
up one set) unique to each of specific destinations is ss 
generated, based on the encryption key. Either the set 
of passkeys or passkey information from which these 
passkeys may be reproduced is delivered to each des- 



tination over a plurality of delivery routes which differ 
from the routes used to deliverthe digital data and which 
are further different from each other. The encrypted dig- 
ital data also is delivered to the destinations. 
[0170] The encryption key is restored by the down- 
stream system (set up at each destination) using either 
the delivered set of passkeys or the passkey informa- 
tion; and the encrypted digital data is decrypted by using 
the restored encryption key. 

[0171] The encryption key used to encrypt digital data 
is divided, or parsed, by a protocol (i.e. a division rule) 
specific to each destination (i.e., downstream system) 
into a set of passkeys (e.g., three passkeys). These 
passkeys are delivered to the destination in question 
over routes which differ from the content delivery routes 
and which are further different from each other. 
[01 72] The signal processing of the data delivery sys- 
tem may be implemented either by hardware or by soft- 
ware. 

[0173] The data delivery system delivers a plurality of 
pieces of key information over multiple delivery routes 
so that any one piece of key information that might be 
misappropriated will not lead to unauthorized tapping of 
the encryption key unless and until all other key infor- 
mation is misappropriated. In particular, where key in- 
formation is delivered over routes different from those 
which carry digital data (including use of the same me- 
dium at different times), then even if one who misappro- 
priates part of the key information happens to acquire 
encrypted digital data as well, the fact that the key infor- 
mation needed to restore the initial encryption key is de- 
livered separately from the digital data makes it more 
difficult to recover that initial encryption key and decrypt 
the digital data. 

[01 74] Although the data delivery system thus far de- 
scribed presupposes the prior existence of an encryp- 
tion key for encrypting digital data, this is not intended 
to limit the present invention. The encryption key may 
be either generated within the upstream system or sup- 
plied from outside the upstream system. The encryption 
key may be either specific to each digital data item (i. e. 
to each content) or common to a plurality of digital data 
items. If data item-specific encryption keys are used, un- 
authorized decryption of any one key limits the damage 
to the corresponding data item alone. The use of com- 
mon keys, however, is not too vulnerable to the damage 
caused by misappropriation as long as the keys are 
changed fairly frequently. 

[0175] The data delivery system may deliver key in- 
formation in diverse ways. Illustratively, a portion of a 
set of passkeys may be transmitted over a network and 
the remaining passkeys may be delivered by use of a 
storage medium (e.g. by mailing a CD-ROM or a floppy 
disc or a solid state memory). If a portion of the key in- 
formation is delivered using a tangible storage medium, 
it is easier both to discover misappropriation of the key 
information and to take countermeasures promptly. 
[0176] As another alternative, a portion of a set of 
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passkeys may be transmitted over a first network and 
the remaining passkeys may be delivered over a second 
network. One advantage of delivering all key information 
over networks is that any time constraints on delivery 
are minimized. Another advantage is the reduced cost 5 
of key information delivery. In implementing the delivery 
of key information over networks, it is preferred illustra- 
tively to authenticate each destination using a digital 
certificate encrypted by a public key furnished by the 
destination in question, prior to delivery of the key infor- 10 
mation. 

[0177] As a further alternative, a portion of a set of 
passkeys may be delivered on a first storage medium 
and the remaining passkeys may be delivered on a sec- 
ond storage medium. When all key information is deliv- 15 
ered by use of tangible storage media, it becomes much 
easier to discover misappropriation of the key informa- 
tion and to take countermeasures promptly. The two 
storage media preferably are physically different. Obvi- 
ously the type of medium and the manner in which in- 20 
formation is read therefrom may or may not be the same 
for the two storage media employed. 
[0178] The storage media used to carry passkeys 
may include magnetically readable media such as mag- 
netic tapes, floppy disks and magnetic cards; optically 25 
readable media such as CD-ROMs, MOs, CD-Rs and 
DVDs; semiconductor memories such as memory cards 
(rectangular type, square type, etc.) and iC cards; and 
others. The storage media with key information record- 
ed thereon may be delivered by postal service or by a 30 
commercial delivery service. At present, the storage 
media are sent most often by registered mail in order to 
ensure their security. 

[01 79] As a feature of at least preferred embodiments 
of this invention, a plurality of partial keys is generated 35 
based on a portion of either the set of passkeys or the 
passkey information. Either the plurality of partial keys 
or partial key information (from which these partial keys 
may be reproduced), as well as either the remaining 
passkeys not used to generate the partial keys or the 40 
remaining passkey information, is delivered to each 
destination over a plurality of delivery routes which differ 
from the routes used for delivering content (e.g. the dig- 
ital data) and which are further different from each other. 
[0180] The downstream system restores the encryp- 45 
tion key of the delivered digital data using either the plu- 
rality of partial keys or the partial key information, as well 
as the remaining passkeys or the remaining passkey in- 
formation delivered over the plurality of delivery routes. 
[0181] Using the example described above wherein so 
the encryption key is divided into a set of passkeys (e. 
g., three passkeys), a portion of the passkeys (e.g., two 
passkeys) is delivered directly to each destination, with 
the remaining passkey (e.g., one passkey) being further 
divided into a plurality of partial keys for delivery. All of 55 
the key information is delivered to each destination over 
routes which differ from routes used to deliver the digital 
data and which are further different from each other. 



[0182] Here, a plurality of pieces of key information 
are delivered over multiple delivery routes so that any 
one piece of key information that might be misappropri- 
ated will not lead to unauthorized tapping of the encryp- 
tion key unless and until all of the other key information 
is misappropriated. Because this data delivery system 
offers more delivery routes for key information than de- 
scribed above, there is higher security against misap- 
propriation or fraud. 

[0183] The division rule or protocol used to generate 
a set of partial keys based on the passkeys may be com- 
mon to all destinations, unique to each destination, or 
specific to a group of destinations classified by geo- 
graphical or other conditions. Instead of having a portion 
of the passkeys divided into partial keys, that portion 
may be encrypted by multiple keys. In this case, both 
the encrypted passkeys and the encryption keys used 
to encrypt the passkeys are delivered to each destina- 
tion. For delivery, a portion of the passkeys is transmit- 
ted over a network, a portion of the partial keys that are 
generated from the remaining passkeys also is sent 
over the network, and the remaining partial keys, or par- 
tial key information, are delivered on a storage medium. 
The storage medium may carry any part of the key in- 
formation involved, and any two different types of key 
information may be delivered on two different storage 
media. 

[01 84] For example, a portion of a set of passkeys and 
all the partial keys generated from the remaining pass- 
keys may be transmitted over the network. If all key in- 
formation is delivered over the network, any time con- 
straints on delivery are minimized and the cost of key 
information delivery is reduced. In delivering key infor- 
mation over the network, it is preferred to authenticate 
each destination using a digital certificate encrypted by 
a public key furnished by the destination in question pri- 
or to delivery of the key information. 
[01 85] As another example, a portion of a set of pass- 
keys and all partial keys generated from the remaining 
passkeys may be delivered on storage media. When all 
key information is delivered by use of tangible storage 
media, it is easier to discover misappropriation of the 
information and to take countermeasures promptly. 
[0186] A second encryption key specific to each of 
specific destinations and/or to digital data may be used 
to encrypt either the first encryption key or the key infor- 
mation (from which the first encryption key may be re- 
produced). Both the encrypted first encryption key (or 
key information) and the second encryption key (or key 
information from which the second encryption key may 
be reproduced), are delivered to each destination over 
a plurality of delivery routes which differ from the routes 
used to deliver the content and which are further differ- 
ent from each other. 

[0187] The downstream system restores the first en- 
cryption key by decrypting either the encrypted first en- 
cryption key or the encrypted key information delivered 
thereto, on the basis of either the delivered second en- 
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cryption key or the delivered second encryption key in- 
formation. The restored first encryption key is used to 
decrypt the encrypted content. 
[0188] Where the second encryption key is unique to 
each destination, the encrypted digital data cannot be s 
decrypted without authorization unless and until all key 
information (i.e., the second encryption key and the en- 
crypted first encryption key) is misappropriated from the 
destination in question. That is, even if the second en- 
cryption key unique to a given destination and the en- 10 
crypted first encryption key specific to another destina- 
tion are misappropriated, the first encryption key cannot 
be restored. It is quite difficult, if not practically impossi- 
ble, for all data to be misappropriated before the theft is 
discovered. This provides a system highly resistant to is 
attempts at unauthorized use or even theft of data. If the 
second encryption key is unique to each digital data 
item, then even if the second encryption key and the un- 
encrypted first encryption key are misappropriated, any 
injury will be limited only to the digital data item in ques- 20 
tion (assuming of course that the encrypted digital data 
item also is misappropriated). Needless to say, if the 
second encryption key is specific both to a particular 
destination and to a particular digital data item, the sys- 
tem would be further resistant to unauthorized tapping 25 
of data. 

[0189] The first encryption key need only be encrypt- 
ed once by the second encryption key. although multiple 
encryptions may be used. For example, the first encryp- 
tion key may be encrypted before it is further encrypted 30 
by the second encryption key. 

[0190] As one example of the delivery technique, the 
encrypted first encryption key is transmitted over a net- 
work, and the second encryption key is delivered on a 
storage medium. Alternatively, the first encryption key 35 
may be carried on the storage medium and the second 
encryption key transmitted over the network. 
[0191] As another example, the encrypted first en- 
cryption key may be transmitted over a first network and 
the second encryption key over a second network. Al- *o 
ternatively, the encrypted first encryption key may be de- 
livered on a first storage medium and the second en- 
cryption key on a second storage medium. 
[0192] In a example of a data delivery system, when 
a second encryption key specific to a specific destina- 
tion and/or to particular content is used to encrypt the 
first encryption key, a set of passkeys (e.g. three pass- 
keys) based on the second encryption key is generated; 
and the encrypted first encryption key (orf irst encryption 
key information), as well as the set of passkeys (or pass- so 
key information from which the set of passkeys may be 
reproduced) are delivered to each destination over a 
plurality of delivery routes which differ from the content 
delivery routes and from each other. 
[01 93] The downstream system uses the set of pass- 55 
keys (or passkey information) to restore the second en- 
cryption key; and the restored second encryption key is 
used to decrypt the first encryption key (or the first en- 
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cryption key information). As a result, the first encryption 
key is restored and used to decrypt the encrypted con- 
tent. Preferably, the set of passkeys, rather than the sec- 
ond encryption key itself, is delivered together with the 
encrypted first encryption key to each destination over 
a plurality of different delivery routes. Consequently, 
even if one piece of key information is misappropriated, 
this will not lead to unauthorized tapping of the encryp- 
tion key unless and until all other key information is mis- 
appropriated. 

[0194] To generate a set of passkeys based on the 
second encryption key, the second encryption key may 
be divided into passkeys in accordance with a suitable 
division rule, or protocol, as mentioned earlier. Alterna- 
tively, another encryption key may be used to further en- 
crypt the second encryption key to generate the pass- 
keys. 

[01 95] If the second encryption key is unique to a par- 
ticular destination, unless all key information is misap- 
propriated from that specific destination (i.e., the set of 
passkeys and the encrypted first encryption key), the 
encrypted digital data cannot be decrypted. This pro- 
vides a more effective data delivery system. 
[0196] As one example of this feature, the encrypted 
first encryption key is delivered on a storage medium, a 
portion of the (or, alternatively, the entire) set of pass- 
keys is transmitted over a network, and the remaining 
passkeys are delivered on another storage medium. 
When part of the key information is delivered on tangible 
storage media, it is easier to discover misappropriation 
of the information and to take countermeasures imme- 
diately. 

[0197] As another example, the encrypted first en- 
cryption key and the set of passkeys generated from the 
second encryption key all may be transmitted over the 
network. When all key information is delivered over the 
network, any time constraints on key delivery are mini- 
mised, thereby reduced the cost of key information de- 
livery. Preferably, a digital certificate encrypted by a pub- 
lic key is furnished by the destination in question prior 
to delivery of key information to authenticate that desti- 
nation. 

[0198] While the present invention has been particu- 
larly shown and described with reference to certain pre- 
ferred embodiments, it will be understood that various 
changes and modifications may be made without de- 
parting from the scope of this invention. 



Claims 

1 . A digital data delivery method for use in delivering 
digital data from an upstream system to a down- 
stream system, said upstream system providing 
multipoint delivery of encrypted digital data to spe- 
cific destinations, and said downstream system de- 
crypting the delivered digital data, said method 
comprising the steps of: 
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encrypting (13) digital data at said upstream 
system using an encryption key; 
generating (1 8) on the basis of said encryption 
key, a set of passkeys specific to each of said 
specific destinations; 5 
generating (20) a plurality of partial keys based 
on a portion of the passkeys in said set or a 
portion of passkey information from which said 
passkeys may be reproduced; 
delivering either said plurality of partial keys or 10 
partial key information, from which said partial 
keys may be reproduced, and delivering the re- 
maining passkeys not used to generate said 
partial keys or the remaining passkey informa- 
tion, to each of said specific destinations over 15 
a plurality of delivery routes which differ from 
routes for delivering said digital data and which 
are further different from each other 
delivering the encrypted digital data; 
restoring (358) said encryption key at said 20 
downstream system using either said plurality 
of partial keys or said partial key information 
and using either said remaining passkeys or 
said remaining passkey information delivered 
over said plurality of delivery routes: and 25 
using (35A) the restored encryption key to de- 
crypt the encrypted digital data. 

A method according to claim 1, wherein a said set 
of passkeys specific to a destination is generated 30 
by dividing the said encryption key by a division pat- 
tern unique to the destination of the set. 

A method according to claim 1 or 2, wherein a set 
partial keys are generated by dividing a portion of 35 
a said set of passkeys specific to a destination by 
a predetermined division pattern specific to the des- 
tination of the set. 

A signal processing method for use with an up- 40 
stream system providing multipoint delivery of en- 
crypted digital data to specific destinations, said 
method comprising the steps of: 

encrypting (13) digital data at said upstream 45 
system using an encryption key; 
generating (1 8) on the basis of said encryption 
key, a set of passkeys specific to each of said 
specific destinations; 

generating (20) a plurality of partial keys based 50 
on a portion of the passkeys in said set or a 
portion of passkey information from which said 
passkeys may be reproduced; 
delivering either said plurality of partial keys or 
partial key information, from which said partial 55 
keys may be reproduced, and delivering the re- 
maining passkeys not used to generate said 
partial keys or the remaining passkey informa- 



tion, to each of said specific destinations over 
a plurality of delivery routes which differ from 
routes for delivering said digital data and which 
are further different from each other; and 
delivering the encrypted digital data. 

5. A method according to claim 4, wherein a said set 
of passkeys specific to a destination is generated 
by dividing the said encryption key by a division pat- 
tern unique to the destination of the set 

6. A method according to claim 4 or 5, wherein a set 
partial keys are generated by dividing a portion of 
a said set of passkeys specific to a destination by 
a predetermined division pattern specific to the des- 
tination of the set. 

7. A digital data delivery system comprising an up- 
stream system providing multipoint delivery of en- 
crypted digital data to specific destinations and a 
downstream system decrypting the delivered digital 
data; 

said upstream system including: 
an encrypting element (13) for encrypting dig- 
ital data using an encryption key; 
a first key information generator (1 8) for gener- 
ating, on the basis of said encryption key, a set 
of passkeys specific to each of said specific 
destinations; 

a second key information generator (20) for 
generating a plurality of partial keys based on 
a portion of the passkeys in said set or a portion 
of passkey information, from which said pass- 
keys may be reproduced; 
a key information delivery element for deliver- 
ing either said plurality of partial keys or partial 
key information, from which said partial keys 
may be reproduced, and for delivering the re- 
maining passkeys not used to generate said 
partial keys or the remaining passkey informa- 
tion, to each of said specific destinations over 
a plurality of delivery routes which differ from 
routes for delivering said digital data and which 
are further different from each other; and 
a digital data delivery element for delivering the 
encrypted digital data; 
and said downstream system including: 

an encryption key restoring element (35B) 
for restoring said encryption key using ei- 
ther said plurality of partial keys or said par- 
tial key information and using either said 
remaining passkeys or said remaining 
passkey information delivered over said 
plurality of delivery routes; and 
a decrypting element (35A) for decrypting 
the encrypted digital data using the re- 
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stored encryption key. 

8. A system according to claim 7, wherein the first key 
information generator is arranged to generate a 
said set of passkeys specific to a destination by di- 5 
viding the said encryption key by a division pattern 
unique to the destination of the set. 

9. A system according to claim 7 or 8, wherein the sec- 
ond key information generator is arranged to gen- 10 
erate a set of partial keys by dividing a portion of a 
said set of passkeys specific to a destination by a 
predetermined division pattern specific to the des- 
tination of the set. 

15 

10. An upstream system for providing multipoint deliv- 
ery of encrypted digital data to specific destinations, 
comprising: 

an encrypting element (13) for encrypting dig- 20 
ital data using an encryption key; 
a first key information generator (1 8) for gener- 
ating a plurality of partial keys based on a por- 
tion of the passkeys in said set or a portion of 
passkey information from which said passkeys 25 
may be reproduced; 

a key information delivery element for deliver- 
ing either said plurality of partial keys or partial 
key information, from which said partial keys 
may be reproduced, and delivering the remain- 30 
ing passkeys not used to generate said partial 
keys or the remaining passkey information, to 
each of said specific destinations over a plural- 
ity of delivery routes which differ from routes for 
delivering said digital data and which are fur- 35 
ther different from each other; and 
a digital data delivery element for delivering the 
encrypted digital data. 

11. A system according to claim 10, wherein the first 40 
key information generator is arranged to generate 

a said set of passkeys specific to a destination by 
dividing the said encryption key by a division pattern 
unique to the destination of the set. 

45 

12. A system according to claim 10 or 11 , wherein the 
second key information generator is arranged to 
generate a set partial keys by dividing a portion of 
a said set of passkeys specific to a destination by 

a predetermined division pattern specific to the des- so 
tination of the set. 

13. A storage medium which stores a computer-reada- 
ble program for controlling the steps of: 

55 

encrypting digital data using an encryption key; 
generating on the basis of said encryption key, 
a set of passkeys specific to each of specific 



destinations; 

generating a plurality of partial keys based on 
a portion of the passkeys in said set or a portion 
of passkey information from which said pass- 
keys may be reproduced; 
delivering either said plurality of partial keys or 
partial key information, from which said partial 
keys may be reproduced, and delivering the re- 
maining passkeys not used to generate said 
partial keys or the remaining passkey informa- 
tion, to each of said specific destinations over 
a plurality of delivery routes which differ from 
routes for delivering said digital data and which 
are further different from each other; and 
performing multipoint delivery of the encrypted 
digital data to said specific destinations. 

14. A medium according to claim 13, wherein the step 
of generating a set of passkeys specific to a desti- 
nation comprises dividing by a division pattern 
unique to the destination of the set. 

15. A medium according to claim 13 or 14, wherein the 
step of generating a set of partial keys comprises 
dividing a portion of a set pass keys specific to a 
destination by a predetermined division pattern 
specific to the destination of the set. 

Patentanspriiche 

1. Digitaldaten-Abgabeverfahren fur die Verwendung 
bei der Abgabe von Digitaldaten von einem vorge- 
ordneten System an ein nachgeordnetes System, 
wobei das betreffende vorgeordnete System fur ei- 
ne Multipunkt- Abgabe von verschlusselten Digital- 
daten an bestimmte Ziele vorgesehen ist und wobei 
das nachgeordnete System die abgegebenen Digi- 
taldaten entschlusselt, umfassend die Verf ah rungs- 
sch ritte: 

Versch I Ossein (13) der Digitaldaten in dem vor- 
geordneten System unter Verwendung eines 
Verschlusselungsschliissels, Erzeugen (18) ei- 
nes Satzes von Pass-Schlusseln, die fur die be- 
stimmten Ziele jeweils spezifisch sind, auf der 
Grundlage des genannten Verschlusselungs- 
schliissels, 

Erzeugen (20) einerVielzahl vonTeilschlusseln 
auf der Grundlage eines Teiles der Pass- 
Schlussel in dem genannten Satz Oder eines 
Teiles der Pass-Schlussel information, aus der 
die betreffenden Pass-Schlussel reproduziert 
werden konnen, Abgeben entweder der ge- 
nannten Vielzahl von Teilschliisseln Oder der 
Teilschlusselinformation, aus der die genann- 
ten Teilschlussel reproduziert werden konnen, 
und Abgeben der ubrigen Pass-Schlussel, die 



19 



37 



EP 1 220 487 B1 



38 



2. Verfahren nach Anspruch 1 , wobei ein fur ein Ziel 
spezifischerSatz von Pass-Schlusseln dadurch er- 
zeugt wird, dass der genannte Verschlusselungs- 
schlussel mittels eines fur das Ziel des Satzes ein- 25 
deutigen Aufteilungsmusters aufgeteilt wird. 

3. Verfahren nach Anspruch 1 Oder 2, wobei ein Satz 
von Teilschlusseln dadurch erzeugt wird, dass ein 

Teil eines fur ein Ziel spezifischen Satzes von Pass- 30 
Schiusseln mittels eines bestimmten, fur das Ziel 
des Satzes spezifischen Aufteilungsmusters aufge- 
teilt wird. 

4. Signalverarbeitungsverfahren fur den Einsatz in 35 
Verbindung mrt einem vorgeordneten System, wel- 
ches eine Multipunkt-Abgabe von verschlusselten 
Digitaldaten an bestimmte Ziele hin vorsieht, um- 
fassend die Verfahrensschritte: 

40 

Verschlusseln (13) von Digitaldaten in dem vor- 
geordneten System unter Heranziehung eines 
Verschlusselungsschlussels, Erzeugen (18) ei- 
nes Satzes von Pass-Schlusseln, die fur die je- 
des der genannten bestimmten Ziele spezifisch *5 
sind, auf der Grundlage des betreffenden Ver- 
schlusselungsschlussels, Erzeugen (20) einer 
Vielzahl von Teilschlusseln auf der Grundlage 
eines Teiles der Pass-Schliissel in dem ge- 
nannten Satz oder eines Teiles einer Pass- so 
Schlusselinformation, aus der die betreffenden 
Pass-Schliissel reproduziert werden konnen, 
Abgeben entweder der betreffenden Vielzahl 
von Teilschlusseln oder der Teilschlusselinfor- 
mation, aus der die betreffenden Teilschlussel 55 
reproduziert werden konnen, und Abgeben der 
ubrigen, fur die Erzeugung der genannten Teil- 
schlussel nicht benutzen Pass-Schliissel oder 



der ubrigen Pass-Schlusselinformation an je- 
des der genannten bestimmten Ziele uber eine 
Vielzahl von Abgaberouten, die von den Rou- 
ten zur Abgabe der genannten Digitaldaten ver- 
schieden sind und die ferner voneinander ver- 
schieden sind, 

und Abgeben der verschlusselten Digitaldaten. 

5. Verfahren nach Anspruch 4, wobei ein fur ein Ziel 
spezifischerSatz von Pass-Schlusseln dadurch er- 
zeugt wird, dass der genannte Verschlusselungs- 
schlussel mittels eines fur das Ziel des Satzes ein- 
deutigen Aufteilungsmusters aufgeteilt wird. 

6. Verfahren nach Anspruch 4 oder 5, wobei ein Satz 
von Teilschlusseln dadurch erzeugt wird, dass ein 
Teil eines fur ein Ziel spezifischen Satzes von Pass- 
Schlusseln mittels eines bestimmten, fur das Ziel 
des Satzes spezifischen Aufteilungsmusters aufge- 
teilt wird. 

7. Digitaldaten-Abgabesystem mit einem vorgeordne- 
ten System, welches fur eine Multipunkt-Abgabe 
von verschlusselten Digitaldaten an bestimmte Zie- 
le vorgesehen ist, und einem nachgeordneten Sy- 
stem, welches die abgegebenen Digitaldaten ent- 
schliisselt, 

wobei das genannte vorgeordnete System enthalt: 

ein Verschliisselungselement (13) zum Ver- 
schlusseln von Digitaldaten unter Verwendung 
eines Verschlusselungsschlussels, ein en er- 
sten Schlusselinforrnationsgenerator (18) zum 
Erzeugen einen Satz von Pass-Schlusseln, die 
fur jedes der genannten bestimmten Ziele spe- 
zifisch sind, auf der Grundlage des genannten 
Versch liisselu n gssch liissels , 
einen zweiten Schlusselinformationsgenerator 
(20) zum Erzeugen einer Vielzahl von Teil- 
schlusseln auf der Grundlage eines Teiles der 
Pass-Schliissel in dem genannten Satz oder ei- 
nes Teiles der Pass-Schlusselinformation, aus 
der die betreffenden Pass-Schliissel reprodu- 
ziert werden konnen, 

ein Schlusselinformations-Abgabeelement zur 
Abgabe entweder der genannten Vielzahl von 
Teilschlusseln oder der Teilschlusselinformati- 
on, aus der die betreffenden Teilschlussel re- 
produziert werden konnen, und zur Abgabe der 
ubrigen, nicht fur die Erzeugung der genannten 
Teilschlussel genutzten Pass-Schliissel oder 
der ubrigen Pass-Schlusselinformation an je- 
des der genannten bestimmten Ziele uber eine 
Vielzahl von Abgaberouten, die von den Rou- 
ten fur die Abgabe der genannten Digitaldaten 
verschieden sind und die femer voneinander 
verschieden sind, 

und ein Digitaldaten-Abgabeelement zur Abga- 



fur die Erzeugung der genannten Teilschlussel 
nicht benutzt sind, oder der ubrigen Pass- 
Schlusselinformation an jedes der genannten 
bestimmten Ziele uber eine Vielzahl von Abga- 
berouten, die sich von Routen fur die Abgabe s 
der genannten Digitaldaten unterscheiden und 
die ferner voneinander verschieden sind, 
Abgeben der verschlusselten Digitaldaten, 
Wiederherstellen (35B) des genannten Ver- 
schlusselungsschlussels in dem nachgeordne- io 
ten System unter Heranziehung entweder der 
genannten Vielzahl von Teilschlusseln oder der 
genannten Teilschlusselinformation und unter 
Verwendung entweder der ubrigen Pass- 
Schliissel oder der ubrigen Pass-Schlusselin- 1$ 
formation, die uber die genannte Vielzahl von 
Abgaberouten abgegeben sind, 
und Heranziehen (35A) des wiederhergestell- 
ten Verschlusselungsschlussels zur Entschlus- 
selung der verschlusselten Digitaldaten. 20 



20 



39 



EP 1 220 487 B1 



40 



be der verschlusselten Digitaldaten, 
und wobei das genannte nachgeordnete Sy- 
stem enthalt: 

ein Verschlusselungsschliissel-Wieder- 5 
herstellungselement (35B) zum Wieder- 
herstellen des genannten Verschliisse- 
lungsschlussels unter Heranziehung ent- 
weder der genannten Vielzahl von Teil- 
schliisseln oder der genannten Teilschlus- 10 
selinformation und 

unter Heranziehung entweder der genann- 
ten ubrigen Pass-Schlussel oder der ge- 
nannten iibrigen Pass-Schlusselinformati- 
on, die iiber die genannte Vielzahl von Ab- is 
gaberouten abgegeben sind, 
und ein Entschliisselungselement (35A) 
zum Entschlusseln der verschlusselten Di- 
gitaldaten unter Heranziehung des wieder- 
hergestellten Verschlusselungsschlus- 20 
sels. 

8. System nach Anspruch 7, wobei der erste Schlus- 
selinformationsgeneratorso aufgebautbzw. ausge- 
legt ist, dass ein fur ein Ziel spezifischer Satz von 25 
Pass-Schlusseln durch Aufteilen des betreffenden 
Verschliisselungsschlussels mittels eines fur das 
Ziel des Satzes eindeutigen Aufteilungsmusters er- 
zeugt wird. 

30 

9. System nach Anspruch 7 oder 8, wobei der zweite 
Schlusselinformationsgeneratorso aufgebaut bzw. 
ausgelegt ist, dass er einen Satz von Teilschlusseln 
dadurch erzeugt, dass ein Teil eines fur ein Ziel 
spezifischen Satzes von Pass-Schlusseln mittels 35 
eines bestimmten, fur das Ziel des betreffenden 
Satzes spezifischen Aufteilungsmusters aufgeteilt 
wird. 

10. Vorgeordnetes System fur die Bereitstellung einer 40 
Multipunkt-Abgabe von verschlusselten Digitalda- 
ten an bestimmte Ziele, umfassend: 

ein Verschlusselungselement (13) zum Ver- 
schlusseln von Digitaldaten unter Verwendung 45 
eines Verschliisselungsschlussels, einen er- 
sten Schliisselinformationsgenerator (18) zum 
Erzeugen einer Vielzahl von Teilschlusseln auf 
der Grundlage eines Teiles der Pass-Schlussel 
in dem genannten Satz oder eines Teiles einer so 
Pass-Schlusselinformation, aus der die betref- 
fenden Pass-Schlussel reproduziert werden 
konnen, 

ein Schlusselinformations-Abgabeelement zur 
Abgabe entweder der genannten Vielzahl von ss 
Teilschlusseln oder der Teilschlusselinformati- 
on, aus der die betreffenden Teilschlussel re- 
produziert werden konnen, und zur Abgabe der 



iibrigen, fur die Erzeugung der genannten Teil- 
schlussel nicht benutzten Pass-Schlussel oder 
der ubrigen Pass-Schlusselinformation an je- 
des der genannten bestimmten Ziele iiber eine 
Vielzahl von Abgaberouten, die sich von den 
Routen fur die Abgabe der genannten Digital- 
daten unterscheiden und die voneinander ver- 
schieden sind, 

und ein Digitaldaten-Abgabeelementzur Abga-* 
be der verschlusselten Digitaldaten. 

1 1 . System nach Anspruch 1 0, wobei der erste Schlus- 
selinformationsgenerator so aufgebaut bzw. ausge- 
legt ist, dass ein fur ein Ziel spezifischer Satz von 
Pass-Schlusseln dadurch erzeugt wird, dass der 
genannte Verschliisselungsschlussel mittels eines 
fur das Ziel des Satzes eindeutigen Aufteilungsmu- 
sters aufgeteilt wird. 

1 2. System nach Anspruch 1 0 oder 1 1 , wobei der zwei- 
te Schlusselinformationsgenerator so aufgebaut 
bzw. ausgelegt ist, dass ein Satz von Teilschlusseln 
dadurch erzeugt wird, dass ein Teil des fur ein Ziel 
spezifischen Satzes von Pass-Schlusseln mittels 
eines bestimmten, fur das Ziel des Satzes spezifi- 
schen Aufteilungsmusters aufgeteilt wird. 

13. Speichermedium, welches ein mittels eines Com- 
puters lesbares Programm zur Steuerung der 
Schritte speichert: 

Verschlusseln von Digitaldaten unter Verwen- 
dung eines Verschlusselungsschlussels, 
Erzeugen eines fiirjedes der bestimmten Ziele 
spezifischen Satzes von Pass-Schlusseln auf 
der Grundlage des genannten Verschlusse- 
lungsschlussels, 

Erzeugen einer Vielzahl von Teilschlusseln auf 
der Grundlage eines Teiles der Pass-Schlussel 
in dem genannten Satz oder eines Teiles einer 
Pass-Schlusselinformation, aus der die betref- 
fenden Pass-Schlussel reproduziert werden 
konnen, Abgeben entweder der betreffenden 
Vielzahl von Teilschlusseln oder derTeilschliis- 
selinformation, aus der die betreffenden Teil- 
schliissel reproduziert werden konnen, und Ab- 
geben der ubrigen, fur die Erzeugung der ge- 
nannten Teilschlussel nicht benutzten Pass- 
Schlussel oder der ubrigen Pass-Schlusselin- 
formation an jedes der betreffenden bestimm- 
ten Ziele iiber eine Vielzahl von Abgaberouten, 
die sich von den Routen fur die Abgabe der ge- 
nannten Digitaldaten unterscheiden und die 
ferner voneinander verschieden sind, 
und Ausfuhren einer Multipunkt-Abgabe der 
verschlusselten Digitaldaten an die genannten 
bestimmten Ziele. 
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14. Medium nach Anspruch 13, wobei der Schritt zur 
Erzeugung eines fur ein Ziel spezifischen Satzes 
von Pass-Schlusseln eine Aufteilung mittels eines 
fur das Ziel des Satzes eindeutigen Aufteilungsmu- 
sters umfasst. 5 

15. Medium nach Anspruch 13 oder 14, wobei der 
Schritt zur Erzeugung eines Satzes von Teilschlus- 
seln die Aufteilung eines Teiles eines fur ein Ziel 
spezifischen Satzes von Pass-Schlusseln mittels 10 
eines bestimmten, fur das Ziel des betreffenden 
Satzes spezifischen Aufteilungsmusters umfasst. 



Revendications 15 

1. Proced§ de deiivrance de donnees numeriques 
destine a etre utilise pour la deiivrance de donnees 
numeriques depuis un systeme amont a un syste- 
me aval, ledit systeme amont r6alisant une d6li- 20 
vrance multipoint de donnees numeriques cryptees 
a des destinations specifiques, et ledit systeme aval 
decryptant les donnees numeriques d6livr6es, ledit 
procede comprenant les etapes consistant a : 

25 

crypter (13) des donnees numeriques dans le- 
dit systeme amont en utilisant une cie de cryp- 
tage; 

generer (18), sur la base de ladite cle de cryp- 
tage, un ensemble de cles d'autorisation spe- 30 
cifiques a chacune desdites destinations spe- 
cifiques; 

generer (20) une pluralite de cl6s partielles sur 
la base d'une partie des cles d'autorisation 
dans ledit ensemble ou dans une partie de Tin- 35 
formation de cl6s d'autorisation, a partir de la- 
quelle lesdites cl6s d'autorisation peuvent etre 
reproduites; 

delivrer ladite pluralite de cl6s partielles ou ['in- 
formation de cles partielles, a partir de laquelle 40 
lesdites cles partielles peuvent etre reprodui- 
tes, et delivrer les autres cles d'autorisation non 
utilisees pour g6n6rer lesdites cles partielles ou 
I'information des autres cles d'autorisation a 
chacune desdites destinations specifiques par 45 
I'intermediaire d'une pluralite de trajets de d£- 
livrance, qui different de trajets pour la deiivran- 
ce desdites donnees numeriques et qui sont en 
outre differents les uns des autres; 
delivrer les donnees numeriques cryptees; so 
r6generer (35B) ladite cie de cryptage dans le- 
dit systeme aval en utilisant soit ladite pluralite 
de cles partielles, soit ladite information decl£s 
partielles et en utilisant soit lesdites autres cies 
d'autorisation, soit ladite information des autres 55 
elds d'autorisation, delivree par I'intermediaire 
de ladite plurality de trajets de deiivrance; et 
utiliser (35A) la cle de cryptage r6g£n6r£e pour 



5. 



6. 



decrypter les donnees numeriques cryptees. 

Procede selon la revendication 1 , selon lequel ledit 
ensemble de cles d'autorisation specifiques a une 
destination est genere par division de ladite cle de 
cryptage par une configuration de division unique 
pour la destination de I'ensemble. 

Procede selon la revendication 1 ou 2, selon lequel 
un ensemble de cles partielles sont ggnerees par 
division d'une partie dudit ensemble de cles d'auto- 
risation specifiques a une destination, par une con- 
figuration de division predeterminee specifique a la 
destination de I'ensemble. 

Procede de traitement de signaux destine a etre uti- 
lise avec un systeme amont realisant la deiivrance 
multipoint de donnees numeriques cryptees vers 
des destinations specifiques, ledit procede compre- 
nant les etapes consistant a: 

crypter (13) des donnees numeriques dans le- 
dit systeme amont en utilisant une cie de cryp- 
tage; 

generer (1 8), sur la base de ladite cle de cryp- 
tage, un ensemble de cles d'autorisation spe- 
cifiques a chacune desdites destinations spe- 
cifiques; 

generer (20) une pluralite de cles partielles sur 
la base d'une partie des cles d'autorisation 
dans ledit ensemble ou dans une partie de Tin- 
formation de cies d'autorisation, a partir de la- 
quelle lesdites cies d'autorisation peuvent etre 
reproduites; 

delivrer ladite pluralite de cies partielles ou Tin- 
formation de cies partielles a partir de laquelle 
lesdites cles partielles peuvent etre reprodui- 
tes, et delivrer les autres cies d'autorisation non 
utilisees pour generer lesdites cies partielles ou 
('information des autres cies d'autorisation a 
chacune desdites destinations specifiques par 
I'intermediaire d'une pluralite de trajets de de- 
iivrance, qui different de trajets pour la deiivran- 
ce desdites donnees numeriques et qui sont en 
outre differents les uns des autres; et 
delivrer les donnees numeriques cryptees. 

Procede selon la revendication 4, selon lequel ledit 
ensemble de cies d'autorisation specifiques a une 
destination est g6n6r6 par division de ladite cie de 
cryptage par une configuration de division unique 
pour la destination de I'ensemble. 

Procede selon la revendication 4 ou 5, selon lequel 
un ensemble de cies partielles sont g6nerees par 
division d'une partie dudit ensemble de cies d'auto- 
risation specifiques a une destination, par une con- 
figuration de division predeterminee specifique a la 
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destination de I'ensemble. 

7. Systeme de delivrance de donnees numeriques 
comprenant un systeme amont realisant la deli- 
vrance multipoint de donnees numeriques cryptees s 
vers des destinations specifiques et un systeme 
aval decryptant les donnees numeriques delivrees; 

ledit systeme amont incluant: 

un element de cryptage (13) pour crypter des 10 
donnees numeriques dans ledit systeme amont 
en utilisant une cle de cryptage; 
un premier generateur d'information de cles 
(18), pour generer sur la base de ladite cle de 
cryptage, un ensemble de cles d'autorisation is 
specifiques a chacune desdites destinations 
specifiques; 

un second generateur d'information de cles 
(20) pour generer une pluralite de cles partiel- 
les sur la base d'une partie des cles d'autorisa- 20 
tion dans ledit ensemble ou dans une partie de 
I'information de cles d'autorisation, a partir de 
iaquelle lesdites cles d'autorisation peuvent 
etre reproduites; 

un element de delivrance d'information de cles 25 
pour delivrer ladite pluralite de cles partielles 
ou I'information de cles partielles, a partir de Ia- 
quelle lesdites cles partielles peuvent etre re- 
produites, et delivrer les autres cles d'autorisa- 
tion non utilisees pour generer lesdites cles 30 
partielles ou information des autres cles 
d'autorisation a chacune desdites destinations 
specifiques par I'intermediaire d'une pluralite 
de trajets de delivrance, qui different de trajets 
pour la delivrance desdites donnees numeri- 35 
ques et qui sont en outre differents les uns des 
autres; et 

un element de delivrance de donnees numeri- 
ques pour delivrer les donnees numeriques 
cryptees. *o 

et ledit systeme aval comprenant: 

un element (35B) de regeneration de cles de 
cryptage pour regenerer ladite cle de cryptage 45 
en utilisant soit ladite pluralite de cles partielles, 
soit ladite information de cles partielles et en 
utilisant soit lesdites autres cles d'autorisation, 
soit ladite information des autres cles d'autori- 
sation, delivree par I'intermediaire de ladite plu- so 
ralite de trajets de delivrance; et 
un element de decryptage (35A) pour decrypter 
les donnees numeriques cryptees en utilisant 
la cle de cryptage regeneree. 

55 

8. Systeme selon la revendication 7, dans lequel le 
premier generateur d'information de cles est agen- 
ce de maniere a generer ledit ensemble de cles 
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d'autorisation specifiques a une destination, par di- 
vision de ladite cle de cryptage par une configura- 
tion de division unique pour la destination de I'en- 
semble. 

9. Systeme selon la revendication 7 ou 8, selon lequel 
le second generateur d'information de cles est 
agence de maniere a generer un ensemble de cles 
partielles par division d'une partie dudit ensemble 
de cles d'autorisation specifiques a une destination 
par une configuration de division predeterminee 
specifique a la destination de I'ensemble. 

10. Systeme amont pour realiser la delivrance multi- 
point de donnees numeriques cryptees a des des- 
tinations specifiques, comprenant: 

un element de cryptage (13) pour crypter des 
donnees numeriques dans ledit systeme amont 
en utilisant une cle de cryptage; 
un premier generateur d'information de cles 
(18), pour generer une pluralite de cles partiel- 
les sur la base d'une partie des cles d'autorisa- 
tion dans ledit ensemble ou d'une partie de I'in- 
formation de cles d'autorisation, a partir de Ia- 
quelle lesdites cles d'autorisation peuvent etre 
reproduites; 

un element de delivrance d'information de cles 
pour delivrer ladite pluralite de cles partielles 
ou I'information de cles partielles, a partir de Ia- 
quelle lesdites cles partielles peuvent etre re- 
produites et delivrer les autres cles d'autorisa- 
tion non utilisees pour generer lesdites cles 
partielles ou I'information des autres cles 
d'autorisation a chacune desdites destinations 
specifiques par I'intermediaire d'une pluralite 
de trajets de delivrance, qui different de trajets 
pour la delivrance desdites donnees numeri- 
ques et qui sont en outre differents les uns des 
autres; et 

un element de delivrance de donnees numeri- 
ques pour delivrer les donnees numeriques 
cryptees. 

11. Systeme selon la revendication 10, dans lequel le 
premier generateur d'information de cles. est agen- 
ce de maniere a generer ledit ensemble de cles 
d'autorisation specifiques a une destination, par di- 
vision de ladite cle de cryptage par une configura- 
tion de division unique pour la destination de I'en- 
semble. 

12. Systeme selon la revendication 10 ou 11, dans le- 
quel le second generateur d'information de cles est 
agence de maniere a generer un ensemble de cles 
partielles par division d'une partie dudit ensemble 
de cles d'autorisation specifiques a une destination 
par une configuration de division predeterminee 
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specifique a la destination de I'ensemble. 

13. Support de memoire, qui memorise un programme 
lisible par ordinateur pour commander les etepes 
consistant a : 5 

crypter des donnees numeriques en utilisant 
une cle de cryptage; 

generer, sur la base de ladite cle de cryptage, 
un ensemble de cles d'autorisation specifiques 10 
a chacune desdites destinations specifiques; 
generer une pluralite de cles partielles sur la 
base d'une partie des cles d'autorisation dans 
ledit ensemble ou d'une partie de ('information 
de cles d'autorisation, a partir de laquelle les- 15 
dites cles d'autorisation peuvent etre reprodui- 
tes; 

delivrer ladite pluralite de cles partielles ou une 
information de cles partielles, a partir de laquel- 
le lesdites cl6s partielles peuvent §tre reprodui- 20 
tes, et delivrer les autres cl6s d'autorisation non 
utilisees pour generer lesdites cles partielles ou 
I'information des autres cles d'autorisation a 
chacune desdites destinations specifiques par 
I'intermediaire d'une pluralite de trajets de de- 25 
livrance, qui different de trajets pour la delivran- 
ce desdites donnees numeriques et qui sont en 
outre differents les uns des autres; 
executer la delivrance multipoint des donnees 
numeriques cryptees auxdites destinations 30 
specifiques. 

14. Support selon la revendication 13, dans lequel l'6ta- 
pe de production d'un ensemble de cles d'autorisa- 
tion specifiques a une destination comprennent la 35 
division par une configuration de division unique 
pour la destination de I'ensemble. 

15. Support selon la revendication 13 ou 14, dans le- 
quel l'6tape de production d'un ensemble de cles 40 
partielles comprend la division d'un ensemble de 
cles d'autorisation specifiques a une destination par 
une configuration de division predeterminee sped- 
fique a la destination de I'ensemble. 
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